Over the weekend, the LastPass team discovered some suspicious activity on its network. Fortunately, they were able to block whoever or whatever was trying to get into the system. LastPass was kind enough to inform the users and assure them that no no user data was ever taken. Not one LastPass user account was accessed which is good news.
LastPass did an investigation and found out that only the account email addresses, server per user salts, password reminders, and authentication hashes were compromised despite the encryption measures set. The team remains confident that such measures are enough to protect most of LastPass users. As always, LastPass will continue to strengthen the authentication hash with 100,000 rounds of server-side PBKDF2-SHA256 and some random salt. This is aside from the regular rounds performed by the client. This way, the system is much more difficult to attack.
LastPass continues its promise to take additional measures to make sure user data are always safe and secure. As a requirement, anyone accessing his or her account from a new IP address or device, must authenticate and verify account first by email. Multifactor authentication is still allowed as it is one of the most secure. Master passwords must be updated regularly as well to ensure everything is well-protected.
Aside from this public announcement, LastPass sent a formal email to all users regarding this unfortunate incident. If you’re a user, kindly change your master password especially if you see LastPass’ message prompt. Reusing the password on other website would require you to replace those passwords.
No user data was compromised so no need to worry. No need to change passwords too on websites stored in your LastPass vault. The team also said that it’s currently working with security forensic experts and authorities to really make sure that everything is protected and secure. Privacy is important to LastPass so the company is dedicated to using more proactive measures. Transparency is important too that’s why the team was also honest in sharing the not so good news to users.
SOURCE: LastPass