On June 15, LastPass disclosed the discovery of a security incident on their internal network. According to LastPass, no evidence was found that indicated the encrypted user vaults of passwords had been accessed. However, user emails and password hints were compromised. As a precaution, LastPass is requiring that all users who are logging in from a new device or IP address first verify their account by email, unless they have multi-factor authentication enabled.
In addition, the Duke security offices are recommending that Duke users update their master password and password hints as soon as possible and enable multi-factor authentication on their LastPass account. Users with a LastPass Premium account from Duke can link it with Duke's multi-factor authentication service via the Duo Mobile app.
Expect to receive an email with further details from LastPass, but as always, be on alert for fraudulent emails directed at you designed to take advantage of the incident.
If you have any further questions, please contact email@example.com.