LastPass announced Monday that suspicious activity was identified on its network on Friday – as a result, LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
“We are confident that our encryption measures are sufficient to protect the vast majority of users,” Joe Siegrist, CEO and cofounder of LastPass, wrote in a Monday post. “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side.”
LastPass has blocked the suspicious activity and all users are being notified. An investigation found no evidence that encrypted user vault data was taken or that accounts were accessed, Siegrist wrote.
To ensure that data remains secure, all users are being asked to change their master password. Additionally, users who log in from a new device or IP address will be required to first verify their account via email, unless multifactor authentication is enabled.
“The fact that the attackers are now armed with a list of LastPass users by email means that we may see some targeted phishing campaigns, presenting users with fake “Update your LastPass master password” links,” Tod Beardsley, security engineering manager with Rapid7, said in a statement emailed to SCMagazine.com on Monday.
In a Monday statement emailed to SCMagazine.com, Devin Egan, cofounder and CTO of LaunchKey, urged users to enable additional factors of authentication.
“Unlike a site that stores passwords one-way hashed, a password manager encrypts the users' passwords with a way to decrypt them so they can be used later,” Egan said. “Thus, LastPass's breached hashes and salts will be under attack and any successful crack could lead to a specific user without additional factors of authentication open to further data breaches.”