Skip to main content

System Status: 

  1. Home
  2. Technology
  3. Security
  4. Services
  5. Manage Passwords
  6. LastPass Security Incident – Actions to Take

LastPass Security Incident – Actions to Take

Last Updated: January 12, 2023 3:23:52 PM PST
Give feedback

Recommended actions to take regarding stolen LastPass customer information and encrypted password vaults.

LastPass, UC San Diego’s recommended password manager, experienced a cybersecurity incident in August 2022. At that time, LastPass reported no impact to customer information and no impact to customer password vaults.

However, late last year, LastPass announced that customer information (company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses) and encrypted password vaults were stolen.

Risks

  • We don’t know if a subset or all of their customers are affected, but we are assuming the worst-case scenario.
  • While the stolen password vaults are encrypted with each user’s master password, there is a possibility the master password could be cracked and decrypted over time via brute-force methods, with master passwords that are shorter in length being more vulnerable.
  • Since the threat actor has an offline copy of the encrypted vault, UC San Diego multi-factor authentication would not protect against such brute-force cracking.
  • LastPass also revealed that the website URL is not encrypted within the vault, only the username, password, and notes fields are.
  • Since the threat actor also obtained customer names and email addresses, there is increased risk of them sending phishing messages to trick you into giving them your master password.

Actions to Take

  • Change your master password when prompted. UC San Diego LastPass Enterprise users will be required to change their master password starting Wednesday, January 4. The new password or passphrase must be a minimum of 15 characters containing at least one number. In general we recommend using a long passphrase of multiple words and spaces for maximum security. 
  • Change your UC San Diego Active Directory password by February 8.
  • Enable Multi-factor Authentication for LastPass. This will soon become required.
  • Never provide your master password (or any password) to anyone; if anyone asks you for it contact the Office of Information Assurance (security@ucsd.edu).
  • We recommend changing any high-value passwords stored within LastPass within a reasonable timeframe and enable multi-factor authentication on them where possible as well.
  • If you had a weak master password and also stored any personally identifiable information in a LastPass Secure Note, you may also want to consider these identity theft protection tips.

More Information

General Password Strength Resources