Popular password manager LastPass has issued a security notice warning users about “suspicious activity” on their network. Specifically, while the company claims its investigation shows no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed, intruders did make off with account email addresses, password reminders, server per user salts, and authentication hashes. Time to change your master passwords.
According to Joe Siegrist, CEO and co-founder LastPass, the authentication hashes should be sufficiently encrypted to prevent anyone from using them to access your account. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. Nonetheless, as a precaution, the company is still asking users to update their master passwords and verify their account by email whenever they log in from a new device or IP address.
The service seems to be dealing with a lot of traffic following the breach. At the time of writing, trying to change the master password results in a server overload message.
Some other recommendations include enabling two-factor authentication, and if you’ve reused your master password on other websites (a big no-no when it comes to online security), you should go change those passwords now.
In a nutshell, the breach doesn’t mean hackers have full access to the passwords of every LastPass user, but if you’ve trusted them with a treasure trove of logins it’s best to make sure you’re not using a weak master password.