Password manager LastPass announced Monday that suspicious activity was identified on its network on Friday – as a result, LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
“We are confident that our encryption measures are sufficient to protect the vast majority of users,” Joe Siegrist, CEO and cofounder of LastPass, wrote in a Monday post. “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side.”
LastPass has blocked the suspicious activity and all users are being notified. An investigation found no evidence that encrypted user vault data was taken or that accounts were accessed, Siegrist wrote.
To ensure that data remains secure, all users are being asked to change their master password. Additionally, users who log in from a new device or IP address will be required to first verify their account via email, unless multifactor authentication is enabled.
“The fact that the attackers are now armed with a list of LastPass users by email means that we may see some targeted phishing campaigns, presenting users with fake “Update your LastPass master password” links,” Tod Beardsley, security engineering manager with Rapid7, said in a statement emailed to the press on Monday.
In a Monday statement emailed to SCMagazine.com, Devin Egan, cofounder and CTO of LaunchKey, urged users to enable additional factors of authentication.
“Unlike a site that stores passwords one-way hashed, a password manager encrypts the users' passwords with a way to decrypt them so they can be used later,” Egan said. “Thus, LastPass's breached hashes and salts will be under attack and any successful crack could lead to a specific user without additional factors of authentication open to further data breaches.”
Chris Boyd, malware intelligence analyst at Malwarebytes, said in an email to press:
“The biggest cause for concern in the immediate aftermath of the LastPass breach is ‘easy to guess' password reset questions and password reuse across multiple websites. If you've reused your LastPass Master Password anywhere else, you must change it immediately.
“If you're still happy to use LastPass after this attack, you must ensure you're using some of the many security options available, which include two-factor authentication and ‘allow or deny' logins by geographical region.
“Many of those affected could say "Enough is enough" and go back to storing passwords on the desktop. While that works for some people, too many would probably fail to consider the security risks brought on by such actions.”
LastPass, which had similar problems four years ago, has been praised by some on social media for at least reacting quickly to the breach, and for being open and honest about the incident – something which isn't always said of other breached companies.
A version of this article first appeared on SCMagazine.com.