This can’t be good: LastPass, a service that protects users’ passwords for various online accounts, fell victim to a hacking attack last weekend.
LastPass’ Joe Siegrist said the security team “discovered and blocked suspicious activity” on its network last Friday, but said there was no sign encrypted user vault data had been taken.
“In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised,” he said.
He said the service is confident its encryption measures are enough to protect “the vast majority of users.”
Siegrist said LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side.
Despite this, he said LastPass is taking added measures to ensure data remains secure, including:
– requiring all users logging in from a new device or IP address to verify their account by email, unless they have multifactor authentication enabled.
– prompting users to update their master password.
“We will also be prompting all users to change their master passwords. You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites,” Siegrist said.
On the other hand, he said users do not need to change their passwords on sites stored in their LastPass vaults.
He apologized for the extra steps of verifying accounts and updating master passwords.
Source: GMA News