LastPass, the popular online password manager, announced last night in a blog post that its network has been breached and that hackers managed to glean its users’ personal data including email addresses, and password reminders. The company notes that hackers couldn’t access the encrypted user’s vault data, which is a great relief.
The company says that it discovered the breach last Friday after detecting suspicious activity on its network. LastPass assures that its encrypted data is sophisticated enough and hence unlikely to be compromised. It says that it appends random digits to the keys, making it over 100,000 times more secure. “We are confident that our encryption measures are sufficient to protect the vast majority of users.”
LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
As a security measure, LastPass is requesting all of its users to change their master passwords. But it also says users should wait for a prompt from the company before doing so. It also advises people to turn on the multi-authentication method wherein users are sent a text on their phone when they try to log in to their accounts from an unrecognized machine.
If you have a LastPass account, we recommend you change its password soon. The company will also be sending you an email to help you change your master passwords.
Related Read: How to Delete LastPass Account and Move to a New Password Manager