LastPass hacked - what you should do

LastPass hackers make off with password management data

Popular password management service LastPass has been hacked, with the attackers stealing user data.

The company said it detected the intrustion when it spotted and blocked suspicious activity in its network.

While the company said it has found "no evidence that encyrpted user vault data was taken, nor that LastPass user accounts were accessed", users' email addresses and password reminders, as well as server per user salts and authentication hashes have been swiped.

In a blog post, Joe Siegrist, CEO and founder of LastPass, sought to reassure users, saying: "We are confident that our encryption measures are sufficient to protect the vast majority of users."

"LastPass strengthens the authentication hash with a random salt and 100,000 rounds of [advanced encryption techniques] PBKDF2-SHA256, in addition to the roundsperformed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed," Siegrist added.

A number of security firms, including AlienVault, Malwarebytes and Rapid7 have commended LastPass for coming forward and notifying the public of the attack, and for the proactive processes it had in place to detect the intrusion.

However, they have also wanred of several secondary security issues that could arise from the hack.

"The biggest cause for concern in the immediate aftermath of the LastPass breach is 'easy to guess' password reset questions and password reuse across multiple websites," said Malwarebytes analyst Chris Boyd.

"If you're still happy to use Last Pass after this attack, you must ensure you're using some of the many security options available, which include two-factor authentication and 'allow or deny' logins by geographical region," he added.

Tod Beardsley, security engineering manager at Rapid7, warned: "The fact that the attackers are now armed witha  list of LastPass users by email means that we may see some targeted phishing campaigns, presenting users with fake 'update your LastPass master password' links."

"So, while further direct communication from LastPass to their users about this breach should be welcome, it should be treated with suspicion if there are any embedded links and calls to action," he added.

What to do if you are a LastPass user

Normally in situations like this, the first thing you are told to do is go in and change your password. However, this is currently not possible, as user accounts are currently "locked down".

In the case of consumer accounts, the company is in the proces of sending out emails to users with a prompt to change their master password, saying they "do not need to update [it] until you see our prompt".

LastPass has also advised that "because encrypted user data was not taken, you do not need to change your passwords on sites storeg in your LastPass vault", except in cases where they are the same as the master password.

For its enterprise customers, LastPass told IT Pro that it had contacted administrators by email on Monday evening, adding "in the interest of sevurity, we continue to advise our enterprise admins to enable the 'Master Password Strength' policies, as well as multifactor authentication.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

1Password Business review: First choice for business travel and guest accounts
Security

1Password Business review: First choice for business travel and guest accounts

16 Jul 2021
Keeper Security review: Keeps corporate password management simple
Software

Keeper Security review: Keeps corporate password management simple

9 Jul 2021
Dashlane review: A very web-focused password manager
Security

Dashlane review: A very web-focused password manager

2 Jul 2021
LastPass review: Great to administrate, a little clunky to use
Software

LastPass review: Great to administrate, a little clunky to use

25 Jun 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021