Helpful Links

Navigate OHIO

Connect With Us

Tech Help Desk
Alden Library 4th floor
30 Park Place
Athens, OH 45701
help.ohio.edu

LastPass security incident

Dear LastPass user,

On December 23, 2022, we notified you of a cybersecurity incident involving the University’s third-party password management tool, LastPass. Based on the information provided by the vendor at the time, no action was requested of you outside of awareness that you may see an increase in phishing attempts as a result of this incident. On March 1, 2023, LastPass posted an updated notification as it relates to the previously communicated cybersecurity incident.  

Based on the most current information provided by LastPass, we will be implementing their recommendation to reset our OHIO accounts in an effort to reduce the risk associated with this incident.  

What does this mean for you as a user of LastPass?


1. Your LastPass password will be reset.

Over the next few days, you will be contacted via Microsoft Teams chat by an OIT employee, at which time the OIT employee will change your LastPass password to a temporary password. Please note that you will receive a notification email from LastPass about this change, but no action is required regarding this email.  
Your temporary password will be relayed to you via Teams chat. Upon entering the temporary password to log into LastPass, you will then be prompted to enter your Ohio University email/password and accept a multi-factor authentication request to access the service.
You will be prompted to enter the temporary password again and select Save Master Password.
This action will complete the reset process. You will now be able to log into LastPass with your OHIO email and password like before.  

2. Your passwords stored within your LastPass vault will need to be reset.

Due to the high value associated with the credentials stored in OHIO’s LastPass vaults, once your account has been reset, you then need to change the passwords stored within your LastPass vault.
We understand that this will be a cumbersome process, but ask that you prioritize this activity and any password changes associated with high-value credentials such as your OHIO credentials, admin credentials, and any credentials associated with access to SSNs, credit card information, or any other highly sensitive data.  
3. You will need to re-link any personal or family accounts.

If you have a personal or family LastPass account that was previously linked with your OHIO account, it will no longer appear in LastPass after your account is reset. Should you desire to do so, you will need to re-link your accounts by following the instructions in Using LastPass Family Benefits.  
For additional information on recommended steps for securing your personal LastPass account as a result of this security incident, please refer to the Security Bulletin provided by LastPass which can be found by visiting: https://support.lastpass.com/help/security-bulletin-recommended-actions…
As a reminder:  
Continue to be vigilant as it relates to social engineering or phishing attacks to gain access to user information.  
Do not accept any multi-factor authentication pushes or phone calls if you are not actively attempting to log into the service, and  
Report any unusual account activity or potential phishing messages to security@ohio.edu


The full write-up of the incident provided by last pass can be found by visiting https://blog.lastpass.com/2023/03/security-incident-update-recommended-…

Sincerely,
Office of Information Technology