

Please contact the 24/7 IT Help Desk at 412-624-HELP (4357) if you have any questions regarding this announcement. If you receive a notification from LastPass about a blocked login attempt, reset your LastPass password.If you have a LastPass Business (formerly LastPass Enterprise) account, it is already protected by the University’s Multifactor Authentication Service (Duo). MFA will protect your LastPass account in the event the password becomes compromised. If you have a personal LastPass account, enable multifactor authentication (MFA) protection.Make sure your LastPass master password is strong, unique, and sufficiently random.Pitt IT advises that LastPass users take the following steps to ensure their LastPass master password is secure: Individuals who re-use the same passwords across multiple websites are at greater risk from this type of attack, which is known as “credential stuffing.”

In short, whenever information from data leaks becomes available on the Internet, attackers attempt to those username and password combinations to log in to other websites, such as LastPass. LastPass has published a blog article that explains the attempted attacks and provides guidance on how to ensure your master password remains secure. It is important to note that LastPass itself has not suffered a data breach. This malicious activity targets LastPass users across the country, not just at the University of Pittsburgh. We haven’t found anything unusual yet, but we’re still looking at it.Pitt Information Technology is aware of media reports that bad actors are attempting to access users’ LastPass accounts using credentials and passwords obtained from unaffiliated third-party data breaches. That’s why we’re making all these moves.Ī lot of the services on the servers that were involved have also been locked down as a precaution, and we’re still investigating on that end as well. The only thing we’re worried about is people that have weak ones. Include a code sample and screencast demonstrating. Submit your report via our BugCrowd bug bounty program to report issues. The real message needs to be that if you have a strong master password, nothing that could have been done would have exposed your data. If you're a security researcher and believe you have found a security bug or vulnerability with LastPass, please follow these steps: Read the LastPass Security FAQs to make sure your concern hasn't already been addressed. In retrospect, we probably overthought this a bit and we’re maybe too alarmist ourselves. We think by taking those steps, we’re locking down any chance that somebody that guessed one of the master passwords would have any shot of getting in. Siegrist: When signing in, we’re forcing every user to prove to us that they’re coming from an IP that we’ve seen them come from before, or prove that they still have access to their e-mail. But if you used a dictionary word, that is within the realm of someone cracking it in a reasonable time frame. If you made a strong master password, you are pretty much in the clear–it’s not really an attackable thing. The threat is that once somebody has that process down, they can start running it relatively quickly, checking thousands of possible passwords per second.

When you do all of that, what you’re potentially left with is the ability to see from that data whether a guess on a master password is correct without having to hit our servers directly through the website. Siegrist: You can combine the user’s e-mail, a guess on their master password, and the salt and do various rounds of one-way mathematics against it. What does all of this mean in terms of what was actually in that data and what someone could glean from it? PCW: We’re talking about blobs, hashes, and salts–a lot of phrases folks aren’t used to hearing. But we haven’t had any of those before, and we’ve been watching this a long time. Could this be just some kind of weird glitch? It could. We’re trying to look at what is the worst possible case and how we can mitigate any risks coming out of that.
