LastPass, the Fairfax, Va-based company behind one of the most popular password management tools, announced Monday that it had suffered a security breach. Email addresses, password reminders and authentication hashes were compromised.’
CEO and co-founder Joe Siegrist said on the company blog that the LastPass team detected an intrusion on its systems last week. “We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network,” he wrote. “In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”
LastPass lets its users store encrypted versions of their passwords for all their online accounts on servers in the cloud, sealing them off behind one master password. The tool offers people the ability to rely on one super strong passcode, rather than having to remember dozens of such codes of across the web.
The LastPass team has urged the users of its service to change their master passwords as soon as possible. It also recommends that its users strengthen their authentication procedures by adding a device-specific step: “We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. (Recently, the photo sharing app Snapchat announced that it would adopt two-factor authentication. And the car service Uber is reportedly exploring new verification measures, too.)
LastPass said that “encrypted user data was not taken,” and that “you do not need to change your passwords on sites stored in your LastPass vault.” For those who have reused their master password on other sites, however, the company recommends replacing those passwords.
“We are confident that our encryption measures are sufficient to protect the vast majority of users,” Siegrist wrote in his blog post. “Nonetheless, we are taking additional measures to ensure that your data remains secure, and users will be notified via email.”
Currently, the website is flooded with inquiries related to the breach. “Sorry, but we are currently experiencing an extremely high volume of support tickets due to our recent security announcement,” its contact page reads. “Please be patient while we try to respond to your questions and issues as quickly as possible. Anticipated wait times for non-critical issues are currently 3 days for Premium and over 5 days for free users.”
To recap: If you use LastPass, go change your master password immediately and set up two-factor authentication. And if you happen to use the same password to lock your LastPass account that you use to secure, say, your personal email or other online account, you should change that immediately, too.
