LastPass Breach: Millions of Passwords at Risk

Widely popular password manager, LastPass, disclosed Monday that its network was breached and urged users to change their master passwords and activate two-step verification immediately.

Joe Siegrist, Lastpass CEO and founder said that LastPass discovered the suspicious activity within its own network Friday, he said in a blog post. However, encrypted user vault data was not stolen, Siegrist added, nor were any user accounts accessed in the attack. However, hackers did compromise some LastPass account email addresses, password reminders, per-user salts and authentication hashes.

“We are confident that our encryption measures are sufficient to protect the vast majority of users,” Siegrist said in the security notice.

To understand Salt, or random data, it is added to passwords which are then hashed cryptographically. Using salt on user passwords is supposed to make it much harder to launch dictionary-based brute-force attacks on user accounts.

“LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side,” Siegrist said. “This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”

One security researcher did point out that since attackers don’t have accesses to the encrypted passwords without the master, the stolen email address may pose more of an immediate risk for users to change their password. Hackers could begin abusing email addresses with common or weak passwords, possibly hijacking millions of accounts leaving access to billions of passwords.

It is likely that LastPass users will receive a wave targeted phishing emails, where users will be presented with a fake ‘Update your LastPass Master Password‘ notification. Any LastPass emails need to be treated with extreme caution, and you should only login to the official lastpass.com website, not by clicking on any email notification links.

The company has responded swiftly to the LastPass breach, notifying each customer individually by email. Users changing their password from a new device or IP address will be required to verify their identity with the email on the account, unless multifactor authentication is already enabled.

“If you have a weak master password or if you have reused your master password on any other website, please update it immediately. Then replace the passwords on those other websites,” Siegrist added in the security notice. “Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault.”

LastPass, similar to many other password managers, works as a web-based tool that encrypts and decrypts data on the local device before communicating with online LastPass servers. Once the program is downloaded, users are prompted to create an account with an email address and master password. Once the user creates their account and logs-in the service, they are able to begin generating strong passwords and saving them for websites. The program also allows users to store common information including Names, street addresses, date or birth, gender, credit card details, Social Security numbers and more.

Password managers are always prime targets for hackers as they present a single account that gives access to potentially millions of sensitive accounts. Just last summer, LastPass avoided a possible password leaking incident by patching two security vulnerabilities. The vulnerabilities neutralized allowed hackers to potentially target users and generate one-time passwords on accounts.

If you are a LastPass user, we urge you to immediately change your master password or email associated with your account. While no information was stolen, aside from emails, the LastPass breach still puts your account at risk.