Password manager LastPass said Monday that email addresses and encrypted master passwords were compromised in a breach. LastPass CEO Joe Siegrist wrote in a blog post that the company does not believe user accounts were accessed in the attack, but the company recommended that users change the master password they use to access their account.
Password managers can be a smart way to increase your online security–until they get hacked.
LastPass, and other password managers like Dashlane and Roboform, were created to address the issue that passwords are a notoriously poor form of security. People tend to use weak, easy-to-remember passwords, re-use passwords across a multitude of accounts, and forget to change their passwords often enough (if at all). LastPass’ solution allows its 76 million users to only have to remember one strong master password, which is used to access all individual account logins and passwords stored by LastPass in encrypted user vaults.
LastPass says it discovered and blocked “suspicious activity” on its network on Friday. Further investigation revealed that email addresses, password reminders, server per user salts (data added to passwords to make them harder to crack), and authentication hashes were all compromised. The good news is that no accounts were compromised, and attackers didn’t gain access to encrypted user vault data (which would include all users’ individual account logins and passwords stored by LastPass).
Because of its strong encryption methods, LastPass says that the compromised encrypted master passwords will be very difficult to crack, as long as users created strong master passwords. “We are confident that our encryption measures are sufficient to protect the vast majority of users,” Siegrist said in his blog post.
LastPass employs per user salts, which means an attacker would have to attempt to crack each encrypted master password individually. ”Further, because a user’s password is hashed thousands of times before being sent to LastPass, and is again hashed 100,000 times before being stored, guesses can’t be done at significant speed,” LastPass press contact Erin Style explained via email.
Even so, LastPass is recommending that all users change their master passwords and set up two-factor authentication. Those with weak master passwords or those who re-used the master password on other sites should change their passwords immediately. LastPass says it’s not necessary to change the individual passwords of accounts stored in LastPass as this encrypted data was not accessed. As a safety measure, LastPass will require that anyone who logs in to their LastPass account from a new device or IP authenticate via email, unless the user already has two-factor authentication.
LastPass refused to comment on the timing of when the breach first occurred or what kind of attack method was used, as LastPass’ investigation is still ongoing with the help of federal authorities and third-party experts.