McMaster IT Notice: LastPass Security Incident

December 23, 2022

With safety in mind, McMaster IT Security Services is notifying our community about a recent cyber security incident related to a popular password management service called LastPass: https://www.lastpass.com/. Please be aware of this issue and the necessary precautions:

What happened?

On December 22, 2022, LastPass notified customers that a threat actor had accessed the company’s cloud-based storage environment and was also able to copy a backup of customer data.

What is LastPass?

LastPass is a popular password management service that creates and stores unique, secure passwords for various user accounts on websites across the Internet. LastPass is not a McMaster University service.

Who is impacted?

Anyone using the LastPass service is impacted by this incident.

What actions should I take?

LastPass is advising anyone not using the default settings best practices to change their master password and change the passwords for the websites they have stored in the service. For more information, please see the company’s Notice of Recent Security Incident.

Out of an abundance of caution, McMaster IT Security Services advises that anyone using LastPass change the passwords for any websites with sensitive information stored in the service. It is also recommended to enable multi-factor authentication for websites stored in LastPass.

Where can I learn more?

You can learn more about this incident by reading LastPass’s Notice of Recent Security Incident and related customer support resources.