LastPass 'Vast Majority Of Users' Safe Following Hack, But Better Change Your Password

Password manager LastPass officially acknowledged that hackers broke into its database and compromised some data, so changing passwords is advised.

The password-managing service aims to provide a secure way for users to centrally manage all of their online passwords by using one master password. A few days ago, however, intruders hacked into the LastPass database and obtained users' email addresses, password reminders and some other data.

In a company blog post on Monday, June 15, LastPass announced that hackers did indeed break into its database on Friday, June 12, as its team found and countered "suspicious activity" on its network. A subsequent investigation didn't find any evidence that hackers took user vault data or accessed LastPass user accounts, according to the company.

The same investigation, however, revealed that hackers compromised email addresses, password reminders, authentication hashes and servers per user salts.

Despite the hack, LastPass further highlights that its encryption measures should be sufficient to ensure security for most of its users.

"LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side," further explains the blog post, adding that attacking the stolen hashes with a significant yield is difficult due to this extra strengthening.

Just to be on the safe side, however, LastPass users who log in from a new device or IP address and do not have multifactor authentication active, should first verify their account by email. As an additional safety precaution, LastPass also plans to prompt all of its users to update their master password.

The company is also sending out emails to users, informing them of this security breach. According to the announcement, LastPass users don't need to update their master passwords until they receive the prompt to do so. On the other hand, those who also used the same master password on other websites should change the password on the website in question as well.

Considering that hackers did not take any encrypted user data, LastPass says that users don't have to change their passwords on the sites they stored in their LastPass vault. Nevertheless, it's highly recommended to enable multifactor authentication for additional security.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics