LastPass, the password manager tool offered to the University, recently reported a security breach.
Your must-read quick summary
- If you access LastPass by logging in with your Onyen or Kenan-Flagler login, no action is required.
- If you access LastPass with a personal email account or do not log in with your Onyen or Kenan-Flagler password, you must act to protect the security of your passwords. Please read on.
LastPass breach
In this LastPass security breach, the attacker obtained vaults of customers’ data from a backup. The passwords and secure notes found in those backups can be decrypted only with the associated master password. However, the URLs or website links in your vault are not encrypted and could have been exposed.
Do I need to take action?
No. If your LastPass account uses Onyen, Single Sign-On, or a Kenan-Flagler login, you don’t have to do anything. If you are using LastPass through your department, also known as a Federated/Business/Enterprise account, and you log in with your University credentials, your passwords are NOT at risk.
Yes. If you access LastPass using either a personal account or your University-related email with a non-Onyen/Kenan-Flagler password, your passwords are at risk.
Steps to safeguard your accounts
- Create a new stronger and/or longer LastPass master password
- Enable two-factor authentication for LastPass, social media, banking accounts, and other important accounts
- Update your important passwords stored within LastPass, specifically banks, credit cards, email account passwords, etc. Do not re-use passwords across websites and apps and create longer passwords or use passphrases.
References
Notice of Recent Security Incident – The LastPass Blog
Password Manager (LastPass) from Help.unc.edu