In news that will be sure to send users into a panic, popular password manager LastPass has been hacked. The breach was announced by LastPass co-founder and CEO Joe Siegrist on the company’s blog in a post titled “LastPass Security Notice.”
LastPass caught suspicious activity on its network on Friday, which led to an investigation into the activity over the weekend. The company found during the deep dive into the breach that “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”
Any time “passwords” and “hacking” are used in the same sentence, it’s sure to send people into a tizzy. While every hack is worth worrying about, LastPass is reporting no encrypted data has been taken and no LastPass users accounts have been accessed.
The way LastPass authentication works makes these hashes hard to crack if you use a password of even marginal quality. Still, I’m changing.
— SwiftOnSecurity (@SwiftOnSecurity) June 15, 2015
https://twitter.com/csoghoian/status/610531855813713920
Still, it is strongly recommended LastPass users change their master password. Passwords to other sites are kept under lock and key of encryption and stored privately in a user vault, so those should remain safe. But LastPass is prompting users to reset their master passwords. The service will also require users signing in on a new device to authenticate their account via email or multi-factor authentication if enabled.
LastPass previously suffered a breach in 2011 after discovering oddities in incoming and outgoing network traffic. The company decommissioned the breached servers and recommended users change their master passwords. The request overwhelmed the remaining servers and caused additional troubles. However, no customer data was found to be compromised.
Photo via kev-shine/Flickr (CC BY 2.0)