LastPass has announced that it was hacked last week, the news of the hack came to light yesterday in a blog post by the company.
The company has said that on Friday their team discovered and blocked suspicious activity on their network. They emphasized that there is no evidence that the encrypted user vault was taken.
We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
Understanding the Impact of the Hack
While LastPass has assured users that their encrypted vaults remain secure, the breach still raises significant concerns. The compromised data, including email addresses, password reminders, server per user salts, and authentication hashes, could potentially be used in phishing attacks or other malicious activities. Users should be vigilant about any unusual emails or requests for personal information that they receive.
The company’s use of PBKDF2-SHA256 with 100,000 rounds of server-side hashing, in addition to client-side hashing, is a robust measure designed to slow down brute-force attacks. This method makes it computationally expensive for attackers to crack passwords, even if they have the hashed data. However, users with weak or commonly used passwords are still at risk, underscoring the importance of using strong, unique passwords for all accounts.
Steps Taken by LastPass and Recommendations for Users
In response to the breach, LastPass has implemented additional security measures to protect user data. They have not disclosed the specifics of these measures, but they are likely to include enhanced monitoring, additional encryption layers, and possibly changes to their authentication processes.
Users are advised to take proactive steps to secure their accounts. This includes:
1. Changing Master Passwords: Even though the encrypted vaults were not compromised, changing the master password adds an extra layer of security.
2. Enabling Multi-Factor Authentication (MFA): MFA provides an additional security layer by requiring a second form of verification, such as a code sent to a mobile device.
3. Reviewing Account Activity: Users should regularly check their account activity for any unauthorized access or changes.
4. Updating Security Questions: Since password reminders were compromised, updating security questions and answers can help prevent unauthorized password resets.
LastPass has said that they are taking additional security measures and you can find out more information over at their website at the link below.
Source LastPass
Latest Geeky Gadgets Deals
Disclosure: Some of our articles include affiliate links. If you buy something through one of these links, Geeky Gadgets may earn an affiliate commission. Learn about our Disclosure Policy.