LastPass, the popular online password manager announced last night in a blog post that its network has been breached and that hackers managed to glean its users personal data including email addresses, and password reminders. The company notes that hackers couldn’t manage to make access to the encrypted users vault data, which is a great relief.
The company says that it discovered the breach last Friday after detecting suspicious activity on its network. LastPass assures that its encrypted data is sophisticated enough and hence unlikely to be compromised. It says that it appends random digits to the keys, making it over 100,000 times more secure. “We are confident that our encryption measures are sufficient to protect the vast majority of users.”
LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
As a security measure, LastPass is requesting all of its users to change their master passwords. But it also says users should wait for a prompt from the company before doing so. It also advises people to turn on multi-authentication method wherein users are sent a text on their phone when they try to login to their accounts from an unrecognized machine.
If you have a LastPass account, we would recommend you to change its password at the soonest. The company will also be sending you an email to help you change your master passwords.