Online Password Manager LastPass Hacked

Users of the online password management service LastPass are being told to update their master passwords in light of "suspicious activity" detected on the company's network last week. However, the company said the incident is not believed to have compromised users' accounts or their encrypted data.

LastPass discovered the suspicious activity on Friday and took action to block it, according to a statement from company CEO Joe Siegrist. The company is also sending an e-mail to all users with further guidance on how to ensure the security of their accounts.

Users of the password management service are able to store and automatically access individual logins to numerous Web sites by syncing their online activities with LastPass. The service relies on encryption and the use of a master password to secure users' access to all of their individual passwords.

'No Evidence' Encrypted Data Taken

In a blog post on Monday, Siegrist said the company's investigation of suspicious network activity "found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed." However, he added the company did determine that "LastPass account e-mail addresses, password reminders, server per user salts, and authentication hashes were compromised."

Because LastPass uses a random salt -- a random string of data used to modify a password hash -- and 100,000-round server-side authentication to strengthen the authentication hash for its users, "the vast majority" of accounts should not have experienced stolen hash attacks, Siegrist noted. To ensure that user data remains secure, though, LastPass has recommended that customers update their master passwords after receiving an e-mail prompt from the company.

Any users who typed in their master passwords to access individual Web sites should also replace their single-site passwords, Siegrist noted. The company is also recommending that users enable multifactor authentication to provide...

Comments are closed.