LastPass 2022 Compromise

Audience

All users of LastPass prior to September of 2022.

Background

In August of 2022 an attacker was able to access LastPass servers and download sensitive information. This data is believed to include source code and customer data, including names, email addresses, phone numbers, billing information, and crucially the encrypted vault data.

LastPass is a cloud-hosted password management service. Subscribers of this service can store passwords for various websites and using a browser plugin, they may log into websites without memorizing or typing passwords. The benefit is that one may (and should) use many unique passwords which are not shared between websites. If a site is compromised, those credentials could not be used to access some other website. LastPass encrypts and stores this data in the cloud and the a master password is required for decryption. LastPass does not keep a copy of the master password within its system. In concept, theft of LastPass data would be useless because an attacker would not be able to decrypt vault data.

Impact

The security of password data within LastPass is only as good as the master password that was used. Since attackers have downloaded the vault data, they are able to attempt decryption bypassing any additional safeguards provided by LastPass. Multi-factor authentication, email notifications, and lockouts will not inhibit the attacker’s attempts to decrypt the vault data.

It’s also worth noting that while passwords and secure notes within a user’s vault are encrypted, information like usernames and addresses are not. Unfortunately, this means the attackers know the sites and usernames that users have stored in LastPass regardless of their ability to decrypt the user’s vault data.

A “weak” password is much easier to crack. LastPass master password requirements are: at least 12 characters with at least 1 number, 1 lowercase letter, and 1 uppercase letter. A password meeting this minimum requirement, especially if it contains a dictionary word, could be cracked in a few seconds. Much longer passwords with higher levels of complexity and lacking common dictionary words could take several centuries to crack. It is difficult to know how secure any password is in reality. It is best to assume your master password may be cracked exposing your vault data.

Changing your LastPass password now will have no effect on the attacker’s ability to compromise your data. Likewise, deleting or cancelling your LastPass account will have no effect.

If your vault is compromised, attackers may use your credentials or sell them, allowing anybody to access your accounts. If your district credentials were stored in LastPass, they can access our network to steal (or hold ransom) data relating to our staff and students, cause damage to our systems, or use our systems as a means to attack other online entities.

Recommendation

In order to ensure the security of your data as well as District assets we are asking all users of LastPass to immediately change all of their passwords. These would include:

  • Your computer logon name and password
  • Outlook and/or MySMCCD name and password
  • Banner name and password
  • Canvas name and password
  • And any other password associated with your District username

Again, changing your LastPass master password or deleting your account would have no impact on the security of your password data. Only by changing the passwords that were stored in your LastPass vault will you ensure the security of your data and identity.

LastPass notice of the incident

LastPass is a trademark of LOGMEIN, INC.