Updated on 3/10/23 to reflect new information
On December 22nd, LastPass notified its customers that, late in 2022, a hacker was able to obtain the full, encrypted vaults for many or all of its customers. On March 1st, LastPass released an update on the details of the security breach. You can read all the details here https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/.
Given this new information, the Information Security Office is now recommending that users move from LastPass to a different password management tool.
Please note that the security of the data you store in any password management tool is entirely dependent on the strength of your master password. The weaker your master password is, the easier it will be to break it and allow someone to gain access to your vault. While weaker passwords will be cracked sooner, even stronger passwords will very likely be cracked over time. Because of this, we strongly recommend that you change all passwords, particularly any involved with high-value accounts such as banking accounts.
UCR staff, faculty, and students who use LastPass should take the following steps to ensure the safety of their accounts.
- Change your LastPass master password.
- Change every password/credential stored within your LastPass vault/account.
- Enable multi-factor authentication for your LastPass account.
- Strongly consider using a different password management tool
For updates on this incident, please visit https://blog.lastpass.com