LastPass, our recommended password management application, recently released a statement regarding unusual activity detected in its development environment. Although the service discovered an unauthorized breach in a portion of this environment, LastPass has also stressed that no passwords or accounts have been compromised.
Should I be worried that accounts stored in my LastPass vault are compromised?
No. The unauthorized access did not include any password vaults, and LastPass does not store information about your master password, thanks to its secure Zero Knowledge infrastructure. Therefore, your LastPass account, and all the information stored within, is not at risk due to this recent activity.
Should I continue using LastPass to generate and store passwords for my WCM and personal accounts?
Yes. LastPass’ security settings have prevented a breach of confidential customer data, and the company’s message on this incident has been released in the interest of transparency. ITS still recommends that password managers like LastPass are used to generate secure passwords and safeguard your existing account passwords.
Is there anything I need to do in my LastPass account?
No. ITS has already implemented LastPass’s recommended security settings for our accounts, including multi-factor authentication and setting up trusted devices. For personal LastPass accounts, you can always log in and ensure that it is set up as securely as possible.
If you notice any suspicious activity, including any uninitiated Duo prompts, or if you have a question about IT security, please reach out to its-security@med.cornell.edu.