On Monday, online password manager LastPass announced it discovered “suspicious activity” on its network, leading to the compromise of users' email addresses, password reminders, server per user salts, and authentication hashes. The popular program alerted users in a blog post, stating that it had found no evidence that neither the encrypted user vault data was taken, nor that LastPass user accounts were accessed. “We are confident that our encryption measures are sufficient to protect the vast majority of users,” said LastPass’s Joe Siegrist.
“LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
Following the incident, LastPass said it will take additional measures to ensure that users’ data remains secure, and will be notifying impacted users via email. The company urged LastPass account holders to update their master passwords. Furthermore, users logging in from a new device or IP address will be asked to verify their account by email, if they do not have multifactor authentication enabled.
“Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.”
Tripwire senior security analyst Ken Westin says the breach highlights the fact that no password system is 100 percent secure. “Often, people can fall into a false sense of security with password managers, forgetting that the password they use to unlock all of these accounts is just as likely to be stolen as any other password, and as such, should be a strong password that is not used with any other service.”