For those using LastPass, its time to change your master password. The warning note from LassPass is found below and HERE. According to LastPass, the authentication hashes should be sufficiently encrypted to prevent anyone from using them to access your account. However, the company is still prompting all users to update their master password that they use to log in to their LastPass account. Here is the post from LastPass.
We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
Nonetheless, we are taking additional measures to ensure that your data remains secure, and users will be notified via email. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.
If you have a weak master password or if you have reused your master password on any other website, please update it immediately. Then replace the passwords on those other websites.
Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.
Security and privacy are our top concerns here at LastPass. Over the years, we have been and continue to be dedicated to transparency and proactive measures to protect our users. In addition to the above steps, we’re working with the authorities and security forensic experts.
We apologize for the extra steps of verifying your account and updating your master password, but ultimately believe this will provide you better protection. Thank you for your understanding and support.
Joe Siegrist
& the LastPass Team
