Hackers have attacked LastPass, the popular online password management service, and stolen data.
In a blog post the company went public with limited details of the security incident:
We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
It’s important to understand that the hackers have not stolen LastPass users’ master passwords. Instead, they have managed to get their hands on the authentication hashes (or checksums) used by LastPass to verify your master password is correct when you try to access the service.
If you chose a weak master password, or if it isn’t very long, then it might be possible for an attacker to crack it through brute force.
LastPass says that because the hackers do not appear to have accessed password vaults (which users store in encrypted form on the company’s servers) there should be no need to change passwords on other online sites. Which is obviously a huge relief.
However, it is advising users to immediately change their master password if it is weak or if the same password has been used on other websites. (If you are reusing passwords then you need to get out of that bad habit at once, of course).
Unfortunately, right now LastPass appears to be overloaded with folks trying to reset their master passwords. If it doesn’t work for you, try again in a little while.
Furthermore, if you are not already doing so you really should enable multi-factor authentication on your LastPass account.
As a further precaution, LastPass says it is requiring that all users logging in from a new device or IP address to first verify their account by email, unless multi-factor authentication is enabled. As a further precaution, users will also be prompted to update their master password.
The company says it will be emailing users to advise them about the security incident.
Do be careful if you receive an email from LastPass, of course. Amongst the stolen information appears to have been a database of account email addresses – an opportunity for phishers and identity thieves to commit email-based attacks posing as the password management company.
As always, don’t panic. The sky is not falling. Take sensible steps to better secure your account – LastPass’s advice is good.
Hopefully, in due course, they will be ready to share more information about precisely what happened and reassure customers that it won’t happen again.
Of course, hacks against LastPass *have* happened before. In 2011, I was impressed with how LastPass responded when it noticed that hackers had managed to access data on its servers.