Last Pass security incident: Action required
The UCOP IT Service Desk would like to inform all staff of a recent incident with LastPass: During the week of Dec. 19, 2022, LastPass announced that customer information (name, address, telephone, email) and encrypted password vaults (accounts) were stolen.
UCOP password vaults are protected with a very long, complex, randomly generated password.
If you have a personal LastPass account and leverage our site license you should have a 12-character or longer password. However, please note the following:
- You may be at risk for being socially engineered or phished as the attacker likely has your name, email address, and phone number
- Never provide your master password to anyone
- LastPass and UCOP will never ask for your password
While the chance of having your passwords unencrypted is extremely low, the best way to limit your exposure is to reset every password in your vault. This will render your encrypted vault useless to the attacker. It is also advisable to change your master password.
Key information from the breach:
- To unencrypt and access the contents of a password vault, a master password must be entered.
- LastPass never knows or stores master passwords.
- LastPass has strong cryptographic protection to make brute-force guessing of these passwords near impossible.
- LastPass does not encrypt the website addresses in a password vault.
- Frequently changing passwords is an effective security practice. It is good practice to change any high-value passwords stored within LastPass within a reasonable timeframe.
For detailed information, please read LastPass’ announcement.
If you have questions or need additional information, please contact the IT Service Desk at (510) 987-0457 or servicedesk@ucop.edu.
Tags: cybersecurity, data protection, LastPass