LastPass security breach, how to protect yourself

To: UCSC Community

From: Brian Hall, UCSC Chief Information Security Officer

On Dec. 22, LastPass notified its customers of a cybersecurity incident that may put passwords stored in LastPass at risk.

Although this incident was not specific to UC Santa Cruz, due to its severity, we recommend you take the following actions if you use LastPass:

Change your LastPass master password to a strong password with at least 12 randomly selected characters. If your master password already meets the default master password settings, no action is needed.
Change the passwords for individual accounts in LastPass, prioritizing your email, financial, and UCSC accounts, if your passwords do not already consist of at least 12 characters.
Enable two-factor authentication for LastPass and individual accounts. This provides an extra layer of protection.
Monitor your accounts for fraudulent transactions. If you notice any unauthorized access or unusual activity, contact the account provider (not LastPass) immediately.

Be aware that there is also an increased likelihood of phishing and social engineering attempts referencing LastPass that may try to trick you into following a link, downloading an attachment, or providing information. If an email is suspicious, do not follow links, download attachments, or reply. Even if you do not use LastPass, you may still be targeted by these phishing attacks. If you suspect you have received a phishing email, forward it to

Further Reading

LastPass: Notice of Recent Security Incident

ITS Update: LastPass Breach