AfterDawn: Tech news

Popular password manager LastPass confirms some user data was stolen

Written by Andre Yoskowitz (Google+) @ 15 Jun 2015 21:40 User comments (3)

Popular password manager LastPass confirms some user data was stolen Password manager LastPass has sent out a security notice to all users confirming that some user data was stolen but most data should be secure.
Here is the full statement from LastPass, which includes the recommendation to change your master pass:

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.

Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.

An email is also being sent to all users regarding this security incident. We will also be prompting all users to change their master passwords. You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites.

Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.

Security and privacy are our top concerns here at LastPass. Over the years, we have been and continue to be dedicated to transparency and proactive measures to protect our users. In addition to the above steps, we're working with the authorities and security forensic experts.

We apologize for the extra steps of verifying your account and updating your master password, but ultimately believe this will provide you better protection. Thank you for your understanding and support.

Previous Next  

3 user comments

116.6.2015 11:21

that is why I don't save my stuff on clouds or even passwords on my computers as no system is safe except for your brain & pen & paper.

216.6.2015 19:53

And we have a once-anticipated reason for why I chose not to use this company, or Keypass.

I use Password Safe which is a sourceforge project. Been using for over a decade now. Secure, easy, straight-forward, syncable with cloud if you know how to do basic stuff like that.

Though [in reply to ddp], I store sensitive stuff like resumes and the password db in a Windows-created, 2 or so GB VHD, then mount, then encrypt with Bitlocker then store THAT encrypted VHD on DropBox or OneDrive and their peeping eyes can't see jack.

Brutally easy and sad to say that I used Truecrypt for a while when I should have used what's available in Windows 7

This message has been edited since its posting. Latest edit was made on 16 Jun 2015 @ 20:03

321.6.2015 18:30

Pen & paper is definitely NOT secure.

With all the logins that a typical internet user has, pen & paper is neither secure nor feasible.

The human brain is surely capable, but few people can unlock perfect memory. Relying on a pseudo-random "scheme" that "only you" know the pattern is also inadvisable.

I'm perfectly happy with LastPass and two-factor authentication. I realize that getting my own devices hacked and then having my own master password hacked is a risk, but I think its better than having a huge list of passwords written down (which could be destroyed in a fire or physically stolen).

I still changed my master password, but I was never really worried. I'd be much more worried if I had all my passwords written down.

This message has been edited since its posting. Latest edit was made on 21 Jun 2015 @ 18:31

Comments have been disabled for this article.

News archive