Update on LastPass breach and recommendations

As many of you may be aware, several months ago, the LastPass password management tool suffered a breach that involves user data. The Information Security Office (ISO) is aware of this situation and is thus making several immediate recommendations which are highlighted below. Additionally, the ISO is investigating the best path forward for a new password management solution.

LastPass logoIf you are a LastPass user, either personally or using the Miami enterprise account, we request that you IMMEDIATELY reset your master password as a precautionary risk-reduction measure. Your new master password should have a minimum of 12 characters. (This is a policy for Miami enterprise users.) For instructions on how to change your LastPass master password, please visit the LastPass support page.

We also recommend that you:

  • Change all individual passwords that access high-risk systems or data. To help you better classify data according to its use and to ensure the privacy and confidentiality of the data under our stewardship, please visit the Knowledge Base article Best Practice: Data Classification.
  • Implement multi-factor authentication (MFA), if you have not already done so. This is already required via our enterprise policy. For instructions on implementing MFA for your account, please visit LastPass Support

These additional measures are necessary because threat actors may possess encrypted copies of Miami and personal vaults. The vaults were encrypted with the master password at the time they were downloaded. If the threat actor is able to break the master password used for encryption they can gain access to all of the data in the vault.

As always, please stay vigilant when it comes to your own cybersecurity and practice good information security hygiene. Visit Miami’s Information Security Office website for more insights about good security practices.

If you have any questions or concerns, please contact the ISO at