LastPass Security Breached

LastPass, a password storage software external the University, recently experienced a security breach.  If you use LastPass to store your passwords, please be aware that an unauthorized party has gained access to archived backups of LastPass production data. 

Basic customer account information was stolen, including company names, end-user names, billing addresses, email addresses, telephone numbers, IP addresses from which you access the LastPass service, and the website URLs you have password-protected accounts on. 

The hacker did not get access to credit card information or website usernames and passwords, secure notes, and form-filled data, although they did get this information heavily encrypted.

There is a chance the hacker may not be be successful getting your master password or other encrypted information if you followed best password recommendations. However, you are at risk for phishing attacks, credential stuffing, or other attacks against online accounts associated with your LastPass vault. They may use knowledge of the websites you visit to target you with fakes more effectively.

LastPass, and most legitimate businesses, will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.

If for any reason you do think your information has been compromised or is at risk, LastPass recommends the following steps. 

If you can still log in to your LastPass account:

• Log out of all other active sessions
• Change your master password
• Update your LastPass account email addresses
• Review your account for suspicious activity
• Restrict your account to only trusted devices
• Restrict your account to only trusted locations

If you have lost access to your LastPass account:

• Revert your master password
• Delete your LastPass account

Read more details about these steps at LastPass.