16 Jun 2015
On Monday, LastPass announced that it had been the target of a successful data breach. Here’s what you need to know and do now, if you relied on this extremely popular service to secure and manage your passwords. When was the breach discovered? On Friday, June 12, the the LastPass team discovered and blocked suspicious activity on their network. What damage was done? LastPass says “In our investigation, we have not found evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.” I have a LastPass account, should I be worried? LastPass says the team is confident that their encryption measures are sufficient to protect the vast majority of its users. “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.” What happens now? LastPass is requiring all users who are logging in from a new device or IP address first verify their account by email, unless they already have multifactor authentication enabled. They will also be prompting users to update their master password. Should I update my passwords now rather than waiting for the notification? LastPass says that you do not need to update your master password until and unless you see the LastPass prompt. Be very skeptical of following any emailed links in emails, instant messages, etc. purporting to be from LastPass. Phishing attempts are certain to commence soon. What about all of the passwords stored in my LastPass vault? Because encrypted user data was not taken, LastPass says that you do not need to change your passwords on sites stored in your LastPass vault. However, if you have reused your master password on any other website, you should replace the passwords on those other websites. Additional advice: You must use a strong and legitimately random master password if you are using a password vault service such as LastPass. And if you don’t already use two-factor authentication on the accounts, services and devices that you want to keep secured – you should do so as soon as possible, wherever available.