LastPass Security Incident

Time-sensitive update on LastPass password manager

February 13, 2023

Given the severity of the recent security incidents that have affected LastPass, it is no longer recommended to use LastPass as your personal password manager. There are many alternatives available for personal use, such as Bitwarden, 1Password, Dashlane, Keeper, and KeePass.

For enterprise use, we are actively pursuing a new solution. As we wait for updates from the vendor and evaluate potential replacements, we encourage our community to change their personal LastPass master password if they haven't already done so, along with the passwords stored in their personal LastPass vault. We will continue to reach out as new information becomes available.


January 13, 2023 

Our teams are continuing to monitor the LastPass security incident.  Given the severity of the security incidents that have affected LastPass, it is no longer recommended to use LastPass as your personal password manager.  

There are many alternatives available for personal use, such as Bitwarden, 1Password, Dashlane, Keeper, and KeePass.

For enterprise use, we are aggressively pursuing a new solution. We do not have any evidence at this time that ASU data has been compromised as a result of this security incident.

If you decide to migrate your personal passwords to a new password manager:

  • Set up the new password manager first with a unique and secure vault passphrase.
  • Export your personal LastPass vault (exporting is not yet available for ASU LastPass Enterprise accounts). 
  • Import your old data into the new password manager.  
  • Finally, change the passwords in your vault after you have finished migrating your password manager data.  

It's important to use the strongest possible password characteristics (length, letters, numbers, and special characters) available for each site you store in your vault.  Using the password manager’s built in generator will allow you to conveniently create unique passwords that are not easily guessed.  

As we wait for updates from the vendor and evaluate potential replacements, you should change the vault password and passwords in your LastPass Enterprise vault that might provide access to sensitive data.

We will continue to update the community as information becomes available. We thank you for your continued vigilance.


December 29, 2022

LastPass continues to investigate, and has reported that the attackers were able to download a backup of customer vault data that contains both unencrypted data (website URLs, end-user names, email addresses) as well as fully-encrypted sensitive fields (website usernames and passwords, secure notes, form-filled data).

We don't know if a subset or all of their customers are affected.

While the stolen password vaults are encrypted with each user's master password, there is a possibility the master password could be cracked and decrypted over time via brute-force methods, with master passwords that are shorter in length being more vulnerable. Since our Master Password strength policy has always exceeded LastPass' best practices (our policy is 14 character minimum and four character types), LastPass have stated that no action is required by us.

No one should ever ask you to provide your LastPass master password and you should always carefully verify any webpage that asks for that information before providing it.

Be alert to new phishing attempts based on the unencrypted data stored in your vault (website URLs).

Continue to follow updates at: https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/