LastPass is one of the handful of companies out there that helps manage your passwords so you don’t have to remember them all. LastPass sells itself as very secure, assuring users that their data is safe. Unfortunately for those users, LastPass has just announced that they have been compromised. The company is in the process of notifying users of the breach but they assure them in a blog post that while their systems were hacked no user accounts were accessed.
We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.
An email is also being sent to all users regarding this security incident.
For now it seems you should be OK, but until LastPass can do a full investigation it’s a good idea that they’re requiring you to re-verify your account.
What do you think of the LastPass hack? Let us know in the comments below or on Google+, Facebook and Twitter.