LastPass is a popular password management tool used to create, store, and manage passwords. Harvard University provides licensing for LastPass to its employees and students. If you use LastPass, carefully read the following announcement and recommendations to protect your personal and business accounts and Harvard’s confidential information and systems access. 

On December 22, LastPass notified their customers of a cybersecurity incident that may put passwords stored in LastPass at risk. Although this incident was not specific to Harvard, due to the severity of it, your LastPass master password may be at risk. We recommend that you take the following action if you use LastPass and have not changed your LastPass master password to a strong password in the last four weeks:  

1. Change your LastPass master password to a strong password consisting of at least 12 randomly selected characters (including upper and lowercase letters, numbers, and symbols) or at least five randomly selected words (for example, method frame carpet green willow).  
2. Change the passwords for individual accounts in LastPass, prioritizing your email, financial, and Harvard accounts. Refer to these instructions for changing your HarvardKey password and these instructions for changing your HMS account password. 
3. Enable two-factor authentication (2FA) for LastPass and individual accounts. Reject any 2FA prompts that you did not initiate.  
4. Monitor your financial accounts for fraudulent transactions. 

Also, be aware that there is an increased likelihood of phishing and social engineering attempts referencing LastPass that aim to trick you into following a link, downloading an attachment, or providing information. Be vigilant. If an email is suspicious, do not follow links, download attachments, or reply. Even if you do not use LastPass, you may still be targeted by these phishing attacks. If you suspect you have received a phishing email, forward it to phishing@harvard.edu. 

What are the benefits of prioritizing my email and financial accounts? 

Email is often used for password resets. Therefore, if someone gains access to your email account, they can also gain access to accounts registered under your email address. This is another reason to ensure that you have 2FA enabled wherever it is offered.  

These types of attacks are typically motivated by financial gain. If that’s the case, cybercriminals will first target your financial accounts with the passwords they obtain. Of particular concern are your investment, retirement, banking, and cryptocurrency accounts.  

I have many passwords stored in LastPass. Do I need to change all of them?  

It is best to change any passwords stored in LastPass that enable access to important personal or business accounts. If you use the same password for multiple accounts, it is important to change those as well.  

Why is it necessary to change the passwords for my stored accounts, rather than just changing my master password? 

The cybercriminals obtained a copy of your LastPass vault as it was in November 2022, so that offline copy will be unaffected by future master password changes.  

That said, it’s important to change your master password, otherwise, they may try to access your active vault along with your newly changed passwords.  

For more information about this incident, read the public announcement from LastPass. 

Who do I contact if I need help? 
If you are affiliated with Wyss and have questions, contact itsupport@wyss.harvard. If you are affiliated with HMS, contact HMS IT at 617-432-2000 or itservicedesk@hms.harvard.edu. If you are affiliated with HSDM, contact HSDM support at support@hsdm.harvard.edu.