LastPass notified us of a security incident in August 2022. We were informed in January 2023 by LastPass representatives that all customer vaults were in the encrypted backup that was acquired by the attackers. This means your credentials could be susceptible to exposure.
In order to reduce the likelihood of any active passwords being exposed, we recommend all LastPass users do the following:
- Change your primary (LastPass calls this master) password using CalNet’s guidance on creating a strong password
- Do not use you primary password for anything else - do not use your CalNet passphrase as your LastPass password.
- Once your primary password has been updated, update all sensitive passwords in your vault, e.g. banking or payment sites.
- Make a risk based decision on changing other passwords. Lower risk account passwords do not need to be changed immediately, but can be changed as they are accessed in the future
- If you have your CalNet stored in LastPass change your CalNet passphrase
- Set up Multifactor Authentication (MFA) to protect your personal LastPass account. Following this step will prompt you to set up a personal Duo account. Users who have trouble with their personal Duo MFA need to work with Duo directly. We also recommend that you set up MFA on all your other accounts that support it, if you have not already done so.
Support for LastPass is provided by LastPass. See: https://support.logmeininc.com/lastpass
For assistance with your non-Berkeley Duo account, contact Duo directly: https://duo.com/support
Report suspected security incidents to email@example.com
Questions about LastPass Business accounts can be directed to firstname.lastname@example.org
Find out what LastPass has to say on this blog post, which they update periodically.