- Author: Pamela Kan-Rice
On Dec. 22, LastPass announced that late in 2022, a hacker was able to obtain customer information (company names, end-user names, billing addresses, email addresses, telephone numbers and IP addresses) and full, encrypted vaults for many or all of its customers. You can read LastPass' announcement of the breach at https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/.
While UC ANR does not provide LastPass to the ANR community, many of you may have access to LastPass through UCOP or personal accounts. Although we do not have a list of affected customers, it is important to act as if your data has been compromised.
As mentioned above, encrypted vaults or lists of customer passwords protected under encryption, were stolen in the breach. While these encrypted vaults are protected with your master password or passphrase, a threat actor could crack and decrypt a user vault over time using brute-force methods. Shorter master passwords and passphrases are more vulnerable to brute-force. It is strongly recommended that you change all passwords stored in your LastPass vault, particularly any involved with high value accounts, such as banking. Be sure to enable multi-factor authentication wherever possible.
It is also recommended you update your master password or passphrase to at least a 15-character password. An even longer passphrase is recommended. A simple way to create a strong master password or passphrase is to use a sentence structure with multiple words and spaces to maximum security. For example, the quote “Two households, both alike in dignity.” is long, strong passphrase but also an easy phrase to remember.
Since the threat actor also obtained customer names and email addresses, there is increased risk of them sending phishing messages to trick you into giving them your master password. Never provide your master password (or any password) to anyone, if anyone asks you for it, immediately contact IT at help@ucanr.edu.
Jaki Hsieh Wojan
Chief information security officer