LastPass today released a security notice on its blog letting users know that its servers were hacked and some data was stolen. Here’s a look at what LastPass said, how to change your master password, and enable Multifactor Authentication for good measure.
LastPass Hacked
In a blog post, LastPass gave some limited details about what happened:
We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
The company also said, “We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.”
One thing that’s rather irritating to a lot of users is that they are finding about this news on websites. As the company also said in its post that emails are being sent to all users about the security incident. At the time of this writing, I haven’t received one, and by the looks of the comments on the LastPass blog, neither have a lot of other users.
Change Your LastPass Master Password
To change your master password, and click Account Settings from the left pane.
Then in the Account Settings window click Change Master Password under the Login Credentials section.
That will bring you to the Password Reset page where you can simply follow the onscreen instructions to change your master password. During the process, LastPass will re-encrypt everything, and send you a verification email that you changed the master.
Enable MultiFactor Authentication for LastPass
While you’re at it, we recommend that you enable multifactor authentication for your LastPass account. It adds an extra layer of security to your account, and will give you more peace of mind that your passwords are secure.
In its statement today, LastPass said: “We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled.”
We showed you how to Enable LastPass Two Factor Authentication a few years ago. The process is extremely simple and there’s no better way to secure your LastPass account. Honestly, in the online climate we have today, enabling two factor authentication really is no longer optional if you want to keep your online accounts secure. We’ve spoken about this in depth here at groovyPost and we plan to focus on this even more in the coming weeks.
To enable two factor or multifactor authentication in Lastpass, just goto Account Settings > Multifactor Options and select the method you want to use… Google Authenticator is probably the easiest.
There are other services users who have a Premium account ($12/year) can use like finger print scanners, and USB keys.
Update 6/16/2015:
Today I finally received an email from LastPass about the security issue. It’s short and doesn’t give a whole lot more detail than what we know already.
Dear LastPass User,
We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised.
We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords.
We apologize for the inconvenience, but ultimately we believe this will better protect LastPass users. Thank you for your understanding, and for using LastPass.
Regards,
The LastPass Team
Overall, this doesn’t appear to be anything to panic about as the passwords stored in your vault are well protected and shouldn’t have been compromised. However, you will definitely want to change your Master Password and enable Multifactor Authentication as soon as possible.