Security LastPass warns of 'suspicious activity' on their servers, go change your master password now


Posts: 3,073   +97

Popular password manager LastPass has issued a security notice warning users about “suspicious activity” on their network. Specifically, while the company claims its investigation shows no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed, intruders did make off with account email addresses, password reminders, server per user salts, and authentication hashes. Time to change your master passwords.

According to Joe Siegrist, CEO and co-founder LastPass, the authentication hashes should be sufficiently encrypted to prevent anyone from using them to access your account. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. Nonetheless, as a precaution, the company is still asking users to update their master passwords and verify their account by email whenever they log in from a new device or IP address.

The service seems to be dealing with a lot of traffic following the breach. At the time of writing, trying to change the master password results in a server overload message.

Some other recommendations include enabling two-factor authentication, and if you’ve reused your master password on other websites (a big no-no when it comes to online security), you should go change those passwords now.

In a nutshell, the breach doesn’t mean hackers have full access to the passwords of every LastPass user, but if you’ve trusted them with a treasure trove of logins it’s best to make sure you’re not using a weak master password.

Permalink to story.



Always the smart option, suspicious activity... unconfirmed activity by the sounds of it... waiting for you to change your master password....

It was like the heartbleed issue, weak ssl, everyone to change passwords to sites... no stay away wait for fix then change.

Why do people give such pants advice.


Posts: 3,142   +1,311
Thanks for the heads up. MP changed.
I got that server overload message too, but my new password still works.

Dear LastPass User,

We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised.

We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords.

We apologize for the inconvenience, but ultimately we believe this will better protect LastPass users. Thank you for your understanding, and for using LastPass.

The LastPass Team
Last edited:


Posts: 3,836   +1,186
My question is... if I have an easy password like 1627384950 and 2 step authentication I should be fine even if someone else knows my pass, right?

I'm tired of inputing a long pass on my phone... I always mess it up :p