LastPass breached, hashed master passwords compromised

LastPass, the company behind the popular password management service of the same name, has announced on Monday that they have suffered a breach, and has urged users to verify their account and update their master password.

Suspicious activity on the company’s network was discovered on Friday, and the subsequent investigation revealed that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

“We are confident that our encryption measures are sufficient to protect the vast majority of users,” LastPass CEO and co-founder Joe Siegrist noted, and explained: “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”

Apparently, no encrypted user vault data was taken and LastPass user accounts were accessed, so there is no need for users to change the various site passwords they keep stored in their vault.

But despite the strong encryption used by the company, a master password change will be forced on users just in case. The company also advises users to change that same password if they (contrary to often-repeated advice) used in for other online services or websites.

Finally, they are urging users to take advantage of the multifactor authentication option that the company is offering.

The company has said that they have started sending out warnings about this incident to user via email, but many have commented that they didn’t receive one yet and expressed their anger about finding out about it via news sites.

Another thing that users should be worried about and on the lookout for is fake LastPass email notifications sent by crooks phishing for additional user information.

Given the very short period between the discovery of the breach and the company’s warning, it’s possible that the real extent of the breach is still unknown.

“LastPass claims that the encrypted vaults were not stolen. If true, this mitigates a major risk. If the hashes AND encrypted vaults were stolen, the attacker could take their sweet time to crack all the hashes and decrypt the vaults,” commented Steve Manzuik, Director of Security Research at Duo Security’s Duo Lab. “If this were the case, there would be little an end user could do to mitigate the risk besides going through every account stored within LastPass and changing the passwords.”

Other potential risk he pointed out include accounts and folders shared with LastPass, and the fact that the LastPass browser extension could have been tampered with.

Hopefully LastPass will come up with updates on the situation soon.

We’ve received a variety comments from industry leaders on this breach, and you can read them here.