LastPass hacked, email addresses, password reminders and more compromised
A lot of people trust LastPass to keep their passwords safe, which is why news that the company has been hacked and its user data compromised is seriously worrying.
LastPass discovered and blocked some suspicious activity on its network last Friday and immediately launched an investigation. Today it reports its findings, and they're very concerning indeed.
The bad news is email addresses, password reminders, server per user salts, and authentication hashes were compromised in the attack. The good news, however, is your passwords should be safe. LastPass found no evidence that encrypted user vault data was taken in the attack, nor that any LastPass user accounts were accessed.
LastPass says: "We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed".
So the stolen hashes can be attacked, just not quickly.
As a precaution LastPass is urging users to change their master password immediately, and also change it on any other sites where it might have been reused (if you're foolish enough to do that sort of thing). The company is also now requiring users who log in from a new device or IP address to verify their account by email -- unless they have multifactor authentication enabled.
Are you a LastPass user? Worried about this news?