FAQ on the LastPass security incident
Anyone with a LastPass account should take action to protect their information
What has LastPass said about this incident?
LastPass has released a blog post, which they are updating periodically. In summary, an attacker was able to download a backup of all LastPass customer vaults (regardless of membership level). These vaults contain encrypted passwords, but URLs for stored items are in plain text.
Was my vault compromised?
In LastPass’s blog post, they say that “The threat actor was also able to copy a backup of customer vault data,” which LastPass has confirmed to mean that backups of all vaults were taken. It should be noted here that the vaults are themselves encrypted (though URLs stored there are not).
Why do we call it Primary Password?
In 2021, UC Berkeley IT, along with other UCs, published a guide on removing biased language from our communications, so we are using the term Primary Password here instead of LastPass’s term of Master Password (which you will see when using the LastPass interface).
What do I do now?
On Wednesday, Jan. 11, 2023, UC Berkeley is requiring all users who have a LastPass Business account to update their Primary Password. UC Berkeley recommends that everyone with a LastPass Premium or free account should also update their Primary Password.
Changes that all users should make:
-
Change your primary (LastPass calls this master) password using CalNet’s guidance on creating a strong password
-
Make sure your primary password is not used for any other purposes - do not use your CalNet passphrase as your LastPass password.
-
Once your primary password has been successfully updated, proceed with updating all sensitive passwords stored in your vault, such as those that control access to sites with financial information (banking or payment sites), as well as passwords to sites with access to UC Berkeley resources, including your CalNet passphrase. Updating all your passwords will help prevent unauthorized access to any sites protected by LastPass.
-
Set up Multifactor Authentication (MFA) on your LastPass account if this is not already set
-
Update all passwords (and set up MFA where available) on all UC Berkeley accounts, as well as all sensitive or high-value accounts (for example, those with access to financial or banking information).
Are there additional risks I should be aware of?
While the passwords in your LastPass vault are encrypted (locked), the list of websites in the vault is accessible to the attackers and you should be aware that malicious actors may use that data in phishing emails. In addition, since the website URLs stored in the LastPass vaults were not encrypted, we would like you to be cautious about phishing attempts using URLs from your vaults and the knowledge gained there (for example, if you have a Wells Fargo URL in your vault, you may see more phishing attempts claiming to be from Wells Fargo). Here is an excerpt from the security incident notification from LastPass:
“The threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks against online accounts associated with your LastPass vault. In order to protect yourself against social engineering or phishing attacks, it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.”
I updated my Primary Password, do I need to do it again?
If you are a LastPass Business user, and your department or group has an account that is managed by UC Berkeley, then you will need to update your primary password after your account’s administrator has updated the setting to require a primary password update, whether or not you have already changed that password.
If you are a LastPass Premium or Free user, and you have a sufficiently strong Primary Password that you have changed since the end of September, then you do not need to update that password. You should still follow all the guidance in the What do I do now? Section of the FAQ.
How do I check a Password’s Strength?
You are given the strength of any new password when you enter it into LastPass. You can confirm your Primary Password strength at any time or use the Security Dashboard to run a check if you have the appropriate account level.
How do I choose a strong Primary Password?
Please follow CalNet's requirements for choosing a secure passphrase for all your accounts. LastPass provides some guidance on choosing a strong password as well and a popup window will appear to guide you as you change your Primary Password.
How do I check how many Password Iterations my LastPass account uses?
Please follow the instructions from LastPass on updating your Password Iterations
How do I set up Multifactor Authentication (MFA) with LastPass?
Follow this helpful guide on how to set up MFA on the CalNet site. Please don’t list UC Berkeley as your organization when you set up your personal Duo account.
Do I need to change all my passwords?
Yes, we recommend you do. Especially if you have a weak Primary Password (see above), or if you have significantly less than the currently recommended 100100 Password Iterations (see above), then we recommend that you update all critical passwords immediately. First, set a strong Primary Password for your LastPass account, and then continue updating all passwords that control access to critical information such as:
-
Passwords that control access to UC Berkeley resources. This includes the CalNet passphrase.
-
Personal email accounts.
-
Passwords that control access to financial information and payments.
-
Accounts with stored credit cards.
Update the critical passwords first, then other passwords can be updated in a more leisurely manner.
Should I ever share my Primary Password?
You should never share your Primary Password, or any password, with anyone. If anyone asks you to do so, please contact security@berkeley.edu to report it.
How do I delete my LastPass account?
Find out how to delete your account at: https://lastpass.com/delete_account.php
Remember that even if you delete your account, the encrypted passwords contained within it may be at risk. Be sure to change the passwords contained in your vault.