Friday, November 15, 2024
info@businesstelegraph.co.uk
Business Telegraph
security

LastPass users encouraged to change passwords stored in … – Virginia Tech Daily

January 9, 2023
posted on


From: Division of Information Technology

In December 2022 LastPass announced a breach of their services. Unknown actors were able to obtain backup versions of user vaults (an individualized data store of websites, usernames, and passwords), which included both unencrypted and encrypted information. Until LastPass can provide information on which vaults were obtained, we must assume that all vaults were obtained. 

As you may know, Virginia Tech was in the process of rolling out LastPass to portions of the university community. While we get clarity on the extent and long-term effects of this breach and the corporate response to it, we are pausing this rollout. We recommend that current users follow the guidance provided below. We still maintain that using a password manager is a valuable security measure that encourages the use of complex passwords, and plan to continue rolling out LastPass accounts to the university once a satisfactory assessment is completed.

Key information and guidance for LastPass users:

  • What was obtained in the breach? 
    • Copies of user vaults that include both unencrypted data such as website URLs and encrypted data such as usernames and passwords, secure notes, or form-filled data.
  • What did they NOT get?
    • The attackers did not get the encryption keys that are used to encrypt stored usernames and passwords. LastPass does not possess these keys, and they are unique to each user.
  • What are the risks from this breach? 
    • The unencrypted data gives attackers information about where you have accounts. This may allow them to target those accounts for phishing campaigns, etc. 
    • The encrypted data is not readily accessible to the attackers and is encrypted by 256-bit AES (Advanced Encryption Standard) encryption. Nevertheless, they do possess a copy of that encrypted data.
    • While it is unlikely that they can decrypt this data anytime soon, there is a risk. Some analysts believe it is only a matter of time before the attackers can crack a given vault and access the encrypted data.
Readers Also Like:  Scale AI Launches EGP to Unlock Customized Models with ... - MarTech Series

LastPass architected their service so that they do not possess your unencrypted secrets nor the keys to decrypt them. Encryption and decryption happen in the local client software on your device – this is an important layer of protection that mitigates the risk in the event that vault secrets are ever compromised.

Password managers make it more practical to use strong passwords, but unfortunately, they are a rich target for bad actors, as we have seen with this case. The Virginia Tech IT Security Office will continue to monitor information regarding this breach. 

Additional resources:

Instructions on how to change VT passwords
Virginia Tech Cybersecurity Awareness Tips
Links to all Cybersecurity services offered through the Division of IT
LastPass Knowledge Base Article





READ SOURCE

Related posts:

  1. History Channel features Montana State professor as audio forensic … – Montana State University
  2. 10 Top Analytics Tools to Boost Your Brand! – CMSWire
  3. Axcelis Announces Grand Opening of the Company's New Logistics … – PR Newswire

You Might Also Like

Recommended For You

This website uses cookies. By continuing to use this site, you accept our use of cookies.