A secure and trusted way to store passwords is issuing a warning to its users to update their accounts. LastPass claims the system experienced some ‘suspicious activity’ on its networks. According to a press release issued by LastPass, users can rest assured that the vault that stores user passwords have not been hacked, and user accounts have not been accessed.
The LastPass team was alerted to the ‘suspicious activity’ and were successful in putting an end to it last week. However, further investigation revealed that LastPass account email addresses, password reminders, server per user salts and authentication hashes were compromised. LastPass is confident in their encryption methods but has issued the warning nonetheless. According to the press release, LastPass, “strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
LastPass users should be on the lookout for an email alert asking for users to update their master password immediately.
“If you have a weak master password or if you have reused your master password on any other website, please update it immediately. Then replace the passwords on those other websites.
Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.”
The LastPass team apologizes for the inconvenience but assures users that updating their master password will help better protect them in the future. If you happen to use LastPass, check your inbox for the email and step by step process for updating your master password as well as enabling multifactor authentication.