LastPass, a password management system, announced a breach of their services in December of 2022. Unknown actors were able to obtain backup versions of user vaults (an individualized data store of websites, usernames, and passwords), which included both unencrypted and encrypted information.

Virginia Tech was in the process of rolling out LastPass to portions of the university community. While waiting for clarity on the extent and long-term effects of this breach and the corporate response to it, Virginia Tech has decided to pause the rollout until a satisfactory assessment has been completed. Virginia Tech recommends that current users follow the guidance provided below.

Key information and guidance for LastPass users:

What was obtained in the breach? 

• Copies of user vaults that include both unencrypted data such as website URLs and encrypted data such as usernames and passwords, secure notes, or form-filled data.

What did they not get?

• The attackers did not get the encryption keys that are used to encrypt stored usernames and passwords. LastPass does not possess these keys, and they are unique to each user.

What are the risks from this breach? 

• The unencrypted data gives attackers information about where users have accounts. This may allow them to target those accounts for phishing campaigns, etc. 
• The encrypted data is not readily accessible to the attackers and is encrypted by 256-bit AES (Advanced Encryption Standard) encryption. Nevertheless, they do possess a copy of that encrypted data. While it is unlikely that they can decrypt this data anytime soon, there is a risk. Some analysts believe it is only a matter of time before the attackers can crack a given vault and access the encrypted data.

What should LastPass users do to protect themselves?

Virginia Tech recommends that students change all passwords for accounts that are stored in LastPass, including the master password for their account. If the LastPass account is tied to their university credentials, Virginia Tech has advised students against storing their university username and password(s) in LastPass. Virginia Tech also advised students to never use their university credentials for other websites and to avoid reusing passwords. Students have been advised keep an eye out for phishing attempts and to turn on two-factor authentication when available.

LastPass architected their service so that they do not possess unencrypted secrets nor the keys to decrypt them. Encryption and decryption happen in the local client software on individual devices — this is an important layer of protection that mitigates the risk in the event that vault secrets are ever compromised.

Password managers make it more practical to use strong passwords, but unfortunately, they are a rich target for bad actors, as seen with this case. 

The Virginia Tech IT Security Office will continue to monitor information regarding this breach.