12/22/22 – LastPass – Notice of Recent Security Incident


On 12/22/2022 LastPass acknowledged that their recent incident led to the exfiltration of customer vault data through a backup copy obtained by the threat actor. The vault data remains encrypted, but could potentially be brute-forced by an attacker in an attempt to guess the Master Password and gain access to the entire vault.

Out of an abundance of caution, the UCLA Information Security Office (ISO) recommends all campus LastPass users (both Enterprise and Premium) to rotate their Master Password, regardless of current complexity, at the earliest possible convenience. Additionally, individual secrets stored within vaults should also be rotated based off of risk to the organization if exposed. Especially if the secrets are utilized to access Internet-facing resources, we highly encourage those to be prioritized first. This includes not only passwords, but also certificates, private keys, and other items stored as secure notes within LastPass.

We recommend enabling multi-factor authentication (MFA) for all applications and services that support the feature. This additional layer of security will ensure that even if the username/password is exposed for a particular resource, the threat actor will still need to circumvent the second-factor authentication challenge to gain access.

If you have any questions or concerns, email please security@ucla.edu to open a ticket. Members of the UCLA Information Security team are on-call during the campus closure to assist with urgent matters.