On November 30th, 2022, LastPass (the password management tool used by W&L) reported to customers that their product experienced a global security incident.  On December 22nd, the event was further defined as a significant large-scale data breach. ITS has been monitoring the event while taking action to isolate and mitigate potential threats to all W&L LastPass business accounts.

What have we learned? 

The data breach at LastPass exposed the encrypted password vaults of their users. Unencrypted data like names, email addresses and URLs were also exposed in the incident.

Are LastPass personal accounts impacted? 

Yes. If you have a LastPass personal account, we encourage you to review the following information.

What is the risk to LastPass personal accounts? 

The threat actor may try to use brute-force procedures to reveal primary account passwords and decrypt copies of the vault data they collected. Phishing messages may also be sent in an attempt to trick users into revealing primary account passwords.

What can you do if you have a LastPass personal account? 

ITS recommends that all users with LastPass personal accounts take the following steps to protect their private information.

• First, change the primary account password associated with your LastPass account.
• Next, change all the passwords contained within your LastPass vault.
• Finally, users are encouraged to take steps to set up two-factor authentication for as many accounts as possible, particularly high-value accounts like personal email, banking services, and social media accounts.

While the steps above are inconvenient, ITS believes they are important to ensure LastPass personal account users are protected from the data breach. 

Please contact us through the ITS Helpdesk at X4357 or help@wlu.edu if you have any questions about this