Pitt Information Technology is aware of media reports that bad actors are attempting to access users’ LastPass accounts using credentials and passwords obtained from unaffiliated third-party data breaches. This malicious activity targets LastPass users across the country, not just at the University of Pittsburgh.
It is important to note that LastPass itself has not suffered a data breach. LastPass has published a blog article that explains the attempted attacks and provides guidance on how to ensure your master password remains secure.
In short, whenever information from data leaks becomes available on the Internet, attackers attempt to those username and password combinations to log in to other websites, such as LastPass. Individuals who re-use the same passwords across multiple websites are at greater risk from this type of attack, which is known as “credential stuffing.”
Pitt IT advises that LastPass users take the following steps to ensure their LastPass master password is secure:
- Make sure your LastPass master password is strong, unique, and sufficiently random.
Learn how to create strong passwords …
- If you have a personal LastPass account, enable multifactor authentication (MFA) protection. MFA will protect your LastPass account in the event the password becomes compromised. If you have a LastPass Business (formerly LastPass Enterprise) account, it is already protected by the University’s Multifactor Authentication Service (Duo).
Learn how to enable MFA in LastPass …
- If you receive a notification from LastPass about a blocked login attempt, reset your LastPass password