Pitt Information Technology continues to monitor a security incident affecting LastPass ― the provider for the University’s Password Manager and vault service ― that we first communicated in a Dec. 1 announcement.
LastPass continues to investigate and has reported that attackers were able to download a backup of customer vault data that contains both unencrypted data (such as website addresses) as well as fully encrypted data, such as website usernames and passwords, notes, and form-filled data.
Passwords remain encrypted, and LastPass master passwords and credit card data have not been compromised. However, the attackers may use the unencrypted data to target LastPass users with other attacks, such as phishing attempts directed toward other accounts that are associated with your LastPass vault.
Pitt IT encourages LastPass users to take the following steps:
- Ensure you are using a strong master password for your LastPass vault consisting of twelve or more characters.
- If you were using a weak master password, we recommend changing any high-value passwords that you are storing in LastPass.
- Never provide your master password to anyone, including anyone claiming to represent Pitt IT or LastPass.
- Remain vigilant towards possible phishing emails.
- Report any suspected security incident immediately to Pitt IT by contacting the 24/7 IT Help Desk.
Details about the incident, as well as additional updates, will be posted to the LastPass website.
Please contact the 24/7 IT Help Desk at +1-412-624-HELP (4357) if you have any questions regarding this announcement.