LastPass is a common password management tool. It allows you to store secure passwords for various sites and accounts behind a strong master password. There are a number of other software products and services that perform this similar service such as KeePass and Intel’s True Key. Yesterday, LastPass announced that their network was compromised and they detected suspicious behavior.
We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
While the network was compromised and user data was copied, the encryption should protect individuals that are using a strong master password. Weak master passwords could be guessed and allow access to the full account database. For that reason, LastPass is asking users to update their master passwords. Multifactor authentication is also suggested, as is changing any accounts that may also use the master password.
LastPass has updated their post with frequently asked questions to address many of the common questions following the announcement, including that LastPass customers found out from the media before the company directly.