Skip to main content
Information Security
YOUR SOURCE FOR IMPROVING INFORMATION SECURITY FOR YOURSELF AND OUR CES COMMUNITY.

Last Pass Reports Data Incident

January 03, 2023 03:06 PM

Public Service Announcement

This message applies to those people who use LastPass as their personal password manager. LastPass has reported unauthorized actors have accessed user data and passwords. We are not asking people to stop using LastPass, however; to help you protect your data, we are providing the following answers to FAQs.

What Does LastPass do?

LastPass helps people store passwords and other login details for online accounts. People can then easily access them through the web interface, smartphone apps, and browser extensions. These passwords are stored in virtual “vaults," which are protected by a single master password.

What has LastPass reported?

In December 2022 LastPass shared that criminals used some information stolen in an earlier attack to get backup data, including customer names, addresses, phone numbers, email addresses, and partial credit card numbers. They also took user’s personal password vaults containing website URLs, usernames, and passwords.

What does that mean for me?

Data from your LastPass vault may be available for others to sell or use.

What should I do?

1. Use the criteria on the passwords page to review your master password to see if it is weak.

If it’s weak, then change it to a stronger password.
If it’s not weak, then go to the next step.

2. Compare your master password to any other passwords you maintain (such as your BYU password, if used outside your LastPass vault) to make sure they are not being reused (not the same).

If they are being reused (the same), then change them to be unique.
If they are unique, then go to the next step.

3. Review the passwords stored in your vault to make sure each is strong.

If any of your passwords are weak, change them to be strong. Use the guidelines here.
Once they are all stronger, go to the next step.

4. Review the passwords stored in your vault, and any other passwords you maintain (such as your BYU password, if used outside your LastPass vault), to make sure each is unique.

If any of your passwords are re-used between accounts, change them to be unique.
Once they are unique, continue.

5. Continue to monitor activity on your accounts for any action you didn’t do or authorize—especially financial institutions.

You can learn how to find weak and reused passwords in your vault through the LastPass Security Dashboard.

Use the guidelines on our passwords page to create strong passwords.

To report suspicious technology activity, contact the CES Security Operations Center (SOC) at cessoc@byu.edu or 801-422-7788.

Forward suspicious email messages as an attachment to phishing@byu.edu.

For general questions, contact OIT Technology Support (801-422-4000) or your department CSR for assistance.