Office of the Chief Information Security Officer

Additional information from LastPass regarding customer vault data has been shared in an updated blog entry published on 12/22/22. In summary, LastPass has acknowledged that their recent incident led to the exfiltration of customer vault data through a backup copy obtained by the threat actor. The vault data remains encrypted, but could potentially be brute-forced by an attacker in an attempt to guess the Master Password and gain access to the entire vault.

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

The UCLA Information Security Office (ISO) recommends changing all secrets that have been stored in LastPass, starting with your Master Password at the earliest possible convenience. This includes not only passwords, but also certificates, private keys, and other items stored as secure notes within LastPass. Complete rotation of all secrets should not be overlooked because if an attacker is able to brute force a vault's Master Password, they will gain full access to all of the contents stored within the vault. Updating everything is the only way to ensure completeness in mitigating this threat.

We also continue to recommend enabling multi-factor authentication (MFA) for all applications and services that support the feature. This additional layer of security will ensure that even if the username/password is exposed for a particular resource, the threat actor will still need to circumvent the second-factor authentication challenge to gain access.

As a result of this incident, the UCLA Information Security Office will be re-evaluating LastPass as the campus password management solution. Additional enrollment into the service will be paused until a decision has been made. For additional information, please visit our FAQ at https://ucla.service-now.com/support?id=kb_article&sys_id=df24b48e1b406d50b6d3639dee4bcb42.