Security Alerts

LastPass Security Updates


What happened?

Two vulnerabilities were discovered in the LastPass browser extension.


What is the risk?

In certain circumstances, these vulnerabilities could be used to steal passwords or run malicious code, though there have been no confirmed incidents of stolen data or passwords.


What has LastPass done? 

Apache Struts2 Vulnerability

What happened?

A vulnerability has been discovered in Apache Struts2, a framework for providing application services through a web server. 

What is the risk?

When successfully exploited, this vulnerability gives a cyber attacker the ability to run commands on the web server running the affected software. Exploiting this vulnerability does not require sophisticated technical skill. Active exploits have been widely detected across the Internet. 

What is Harvard Information Security doing?

Harvard Branded Phishing Campaign

What happened?

Phishing emails which may appear as official Harvard communications were sent to internal and external recipients. These messages encourage a user to click a link or download a file. 

What is the risk?

Clicking the link exposes the user to malicious code which may install malware on their computer. Once installed, malware provides an attacker access to files and passwords on the computer.

What can I do?

Yahoo Account Information Breach

What Happened?

In late 2014, state-sponsored hackers obtained account information (including names, phone numbers, security challenge questions with answers, and hashed passwords) for 500 million Yahoo accounts.

What is the Risk?

While the passwords exposed were hashed, weak or short passwords will be compromised over time by password cracking tools.

Dropbox Password Leak

While Dropbox is not approved for Harvard data, we realize many members of the community use it for personal data. For University data, you may use departmental shares or Harvard’s instances of Google Drive, OneDrive, and SharePoint.

What Happened?

A security incident at Dropbox in 2012 resulted in the breach of 60+ million email addresses and password has. Dropbox has forced password resets for affected users.

What is the Risk?

LastPass Security Update

What Happened?

LastPass has been in the news recently after the disclosure of two vulnerabilities in the LastPass browser plugin. At this time, both vulnerabilities have been fixed. The first was disclosed and addressed a year ago. The second was disclosed and patched two days ago (July 26).

Harvard Targeted Phishing Campaign

Harvard Information Security has been made aware of a phishing email scam targeting the Harvard community. The attackers are posing as Harvard University representatives asking for account information, including HarvardKey credentials, and linking to a fake Harvard login screen. We believe the goal of this phishing attack is to access personal information including W-2s. Harvard Information Security is reaching out directly to any individuals who have been affected by this attack and we are taking other protective steps. 

LastPass Security Incident Notifications

LastPass is the preferred password manager recommended by Harvard University Information Security. If you use LastPass, you may have received a security notification regarding a security incident disclosed on Monday June 15th that involves LastPass servers.

What happened?

Cyber criminals illegally accessed LastPass servers and stole the following information:

·       Email Addresses

·       Password Reminders

SSL/TLS "FREAK" Vulnerability

What is it?

The FREAK  (Factoring Attack on RSA-EXPORT Keys)  vulnerability is a flaw in some popular SSL clients that would allow the use of weak encryption ciphers that are possible to decrypt. These insecure ciphersuites were “retired” decades ago, but if they are still present among the list of potential encryption ciphers in a web server’s library, the web site could be tricked into using them for an HTTPS connection.