March 3, 2023

LastPass data breach update

Update 3/2/23

Additional details have emerged about the nature of the LastPass data breach that the company disclosed in December 2022. An updated summary of those details are included in the What Happened section below.

UW’s LastPass Enterprise accounts

UW-IT is reviewing the latest disclosures about the LastPass breach and determining next steps for UW’s LastPass Enterprise contract. Updates will be provided on this page:

What to do right now

At this time, UW-IT advises that you perform the following actions on your Enterprise Lastpass account:

      • Consider resetting your master password
      • Review and increase your password iteration count.
      • Review who you have shared passwords with and remove anyone who no longer needs access

Consumer and Business Accounts

LastPass has published guidance documents for both consumer and business customers, including the following topics:

Free, Premium, and Families Customers

        • Determine if your master password needs to be reset.
        • Ensure the master password hasn’t been reused.
        • Review and increase your password iteration count.
        • Evaluate password hygiene and strength.
        • Turn on dark web monitoring.
        • Enable multi factor authentication for your account.

More info:

LastPass Business Administrators

        • Review and enforce master password policies and security reports.
        • Review users’ password iteration count settings and shared folder access.
        • Ensure super admins follow best practices.
        • View What Data Was Accessed on the LastPass blog to find specific information about what encrypted and encrypted data was exposed.
        • Generate URL reports to access risks for credential stuffing, phishing, and social engineering attacks.
        • Communicate with end users about the risks associated with these incidents.

More info:

Please visit the security bulletin links for more information and things to do, including templates for communication.

LastPass: Security Incident Update and Recommended Actions

What happened? (Update)  

LastPass has released additional information about the series of incidents that they first reported in December. Key points include:

  • They have not seen any evidence of threat actor activity since October 26, 2022.
  • During the course of their investigation, they have taken steps to upgrade security and improve security operations.
  • The first incident began with the compromise of an employee’s laptop, which allowed the threat actor to gain access to a LastPass development environment and internal system secrets. No customer data was accessed at that time.
  • Information gained in the first incident allowed the threat actor to identify targets for a second incident, in which a vulnerability in 3rd-party software allowed them access to cloud backups of encrypted and unencrypted customer data.

Visit the December 2022 post for more information.


Sophos: LastPass admits to customer data breach caused by previous breach

LastPass blog and documentation:

OIS resources: