Digital and Technology Services have been alerted to a cybersecurity breach of the commercially-available password management software LastPass, whereby an unauthorised party has gained access to sensitive data held by LastPass

This highly sensitive information includes names, billing addresses, telephone numbers, email addresses, and website URLs that have passwords stored within LastPass.

While LastPass is not software provided by the university, as one of the leading password management products, we are making staff and students aware as they may use LastPass in a personal capacity.

If you use this software, you will need to take action to protect yourself.

Recommendations

While a strong master password for your LastPass account will make it more challenging for hackers to gain access to the passwords contained within your password vault, it is recommended that, as a precaution, you:

• Change your LastPass master password
• Change all passwords stored within the vault
• Change all the passwords for any other systems that share a password with your master password or any password in the vault
• As ever, be suspicious of all unsolicited email and do not click on links or open attachment in any emails that you were not expecting

It is recommended that you prioritise accounts that are of more value to an attacker, such as bank accounts or primary email accounts. You should also review any notes or form filled data contained in LastPass to identify what the impact of its disclosure to an attacker may be.

LastPass’ Multi-factor authentication does not provide any additional protection in this breach as the attackers have an encrypted copy of the passwords to allow for an offline attack, but use of multi-factor authentication for passwords in the password vault does help protect these systems.

The LastPass information on this breach is available to read via their website.

Support

Notwithstanding this breach, general advice remains that password managers are the best way to maintain multiple passwords for web applications.

If you have any cybersecurity questions or concerns, please do not hesitate to contact the IT service desk.