Photo (cc) by marc falardeau
LastPass has been hacked and some user data has been compromised, the popular password manager announced Monday.
Joe Siegrist, chief executive officer and co-founder, writes on the company’s blog:
We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user [password] data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
LastPass is an Internet browser add-on that remembers users’ various passwords for them, storing them behind encryption. Users instead use one “strong master password — the last password you have to remember,” as the company describes it — for their LastPass accounts.
Users will be contacted by email and prompted to change their master passwords, according to the blog post.
LastPass encourages customers who reused their master password on other sites to change the password they use for those sites. The company also generally recommends that users enable multifactor authentication, which requires an extra step before users can log in to their accounts. This extra step improves security.
While the breach likely will trouble many customers, Fast Company reports that things could have been worse:
This sounds terrible, and it certainly still has the potential to be a major problem for LastPass and its customers. However, the folks at LastPass aren’t dummies. It’s unlikely this breach will result in those who obtain the stolen data unlocking many [passwords] at all, so long as LastPass’s description of how it holds user data is accurate and well implemented.
Does this latest hack leave you worried? Sound off below or on Facebook.