Universiteit Leiden

nl en

ICT

LastPass password manager hacked: change all your passwords

26 January 2023

A password manager is an application that helps you create and store a large number of different, strong passwords. At the end of December 2022, one of the large online password manager providers, LastPass, was in the news because it had been hacked. The University’s Security Office advises LastPass users to take the following security measures as soon as possible.

Change you passwords

If you were a LastPass user with a personal account in September 2022 (or before), you should at least change your master password. It is also advisable to change all your passwords (but in any case the most important ones). If your master password was sufficiently complex, it is unlikely that the hackers would be able to crack it very quickly. However, if you had a weaker password, or used the same password somewhere else, then the risk is fairly high. Stories are already circulating that active password-cracking is currently taking place, so please do this without delay!

Set up multi-factor authentication

You should also make sure that all your important services, such as your email (where you often receive recovery messages if you have forgotten a password), are protected with multi-factor authentication (MFA). With this, you not only give your password but also an additional confirmation, often with a six-digit security code or a push notification. You must therefore never share these codes with anyone else. If you receive an unsolicited text message containing a code of this kind, or if someone phones you and asks for the code in your app, this is often a sign that attackers have obtained your password.

Check your personal information

If you have never used LastPass, you probably don’t need to do anything. However, you can always look on e.g. HaveIBeenPwnd to find out if your data have appeared in a known data breach and, if they have, then specifically change those passwords. If you don’t already use a unique password or password sentence for each service, you should start doing this now!

Should a password manager be used or not?

The LastPass hack raises the question of whether it is still advisable to use a password manager at all. The University’s Security Office has therefore given a more detailed explanation of digital safety and password management on the staff members page. The advice is still to use a password manager and to always set up MFA wherever possible.

Questions?

If you have any questions about secure behaviour, passwords, how attackers operate or anything else relating to data security, please don’t hesitate to contact the Security Office at security@BB.leidenuniv.nl.

This website uses cookies.  More information.