Joe Siegrist, CEO and Co-founder of LastPass, the company behind highly popular password management tools announced it has been hacked. In a statement just released, Siegrist confirmed via the company blog that breach on its system was detected by the LastPass team.
As part of notifying the community, he explained that suspicious activity on the network had been identified and blocked. Although there was no evidence that that encrypted user vault data was compromised or that the hackers gained access to any user account passwords, account email addresses, server per user salts, password reminders, and authentication hashes were breached.
With LastPass, users have the opportunity to keep encrypted versions of passwords for all online accounts associated with cloud servers secure by having them blocked behind a master password. By using this tool, people have an extremely powerful passcode opposed to the need of remembering dozens of codes for different sites.
As part of the announcement, Siegrist recommended that all users change the master password immediately. In addition, he suggested that authentication procedures should be stronger by adding a new step. This involves users logging in from new IP addresses or devices to use email as account verification, unless the multifactor authentication is enabled.
Even with the password tool being breached, the good news is that no encrypted user data was taken. For that reason, there is no need for passwords on sites stored within the LastPass vault to be changed. However, if there is anyone who reused the master password on other sites, those passwords should definitely be changed.
To protect most users of LastPass, the company stands behind the encryption measures used, stating they provide sufficient protection but because of the breach, additional security measures are being taken.
As imagined, the company’s website is inundated with inquiries about the attack, to which a page appears apologizing for the high volume of support tickets following the breach announcement. The company is asking users to be patient while dealing with issues and responding to questions but says it will take approximately three days for Premium users and more than five days for free users to hear back from a representative.
The bottom line is that users of LastPass need to change the master password but also establish two-factor authentication. In addition, if the same password is used to lock the account with LastPass, to ensure additional online accounts and personal emails are secure, that too should be changed right away.