LastPass, an online password manager, announced a security-related incident to costumers on Nov. 30. The password manager is a service Elon University pays for faculty, staff and students.
LastPass stores a user’s various passwords within its databases, where users can access their data with one master password. Elon began offering LastPass premium accounts to the campus community in 2018.
During the incident, some customers had their information leaked, but according to Elon’s Information Security Director Gary Sheehan, this is not a concern for the university. In an email statement to Elon News Network, Sheehan said the accounts offered to faculty, staff and students are free, meaning they hold minimal personal information of users within the campus community.
“At this point, we have not heard of any staff, student or faculty information being leaked,” Sheehan wrote. “Though certain elements of their customers’ information were compromised, the password vaults remained safely encrypted due to LastPass's Zero Knowledge architecture. They are still working diligently to understand the scope of the incident and identify what specific information was affected.”
Sheehan wrote that he recommends those who use LastPass configure it to use multi-factor authorization. The university uses Duo Security, and instructions on how to enroll can be found here.
This incident marks the second time in three months that the company has had a security breach by the same party, according to reporting from NPR.
Karim Toubba, the company’s CEO, posted an updated statement on Nov. 30 to the LastPass website regarding how they are dealing with these recent events.
“We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo,” read a statement on the company’s website. “We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.”
Elon junior Jaime Landau is a longtime LastPass user. Despite recent breaches of LastPass, Landau will stay with the service.
“If no one has gotten any data, then it’s safe,” Landau said.