LastPass hacked - what you should do

LastPass hackers make off with password management data

Popular password management service LastPass has been hacked, with the attackers stealing user data.

The company said it detected the intrustion when it spotted and blocked suspicious activity in its network.

While the company said it has found "no evidence that encyrpted user vault data was taken, nor that LastPass user accounts were accessed", users' email addresses and password reminders, as well as server per user salts and authentication hashes have been swiped.

Advertisement - Article continues below

In a blog post, Joe Siegrist, CEO and founder of LastPass, sought to reassure users, saying: "We are confident that our encryption measures are sufficient to protect the vast majority of users."

"LastPass strengthens the authentication hash with a random salt and 100,000 rounds of [advanced encryption techniques] PBKDF2-SHA256, in addition to the roundsperformed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed," Siegrist added.

A number of security firms, including AlienVault, Malwarebytes and Rapid7 have commended LastPass for coming forward and notifying the public of the attack, and for the proactive processes it had in place to detect the intrusion.

However, they have also wanred of several secondary security issues that could arise from the hack.

"The biggest cause for concern in the immediate aftermath of the LastPass breach is 'easy to guess' password reset questions and password reuse across multiple websites," said Malwarebytes analyst Chris Boyd.

Advertisement - Article continues below
Advertisement - Article continues below

"If you're still happy to use Last Pass after this attack, you must ensure you're using some of the many security options available, which include two-factor authentication and 'allow or deny' logins by geographical region," he added.

Tod Beardsley, security engineering manager at Rapid7, warned: "The fact that the attackers are now armed witha  list of LastPass users by email means that we may see some targeted phishing campaigns, presenting users with fake 'update your LastPass master password' links."

"So, while further direct communication from LastPass to their users about this breach should be welcome, it should be treated with suspicion if there are any embedded links and calls to action," he added.

What to do if you are a LastPass user

Normally in situations like this, the first thing you are told to do is go in and change your password. However, this is currently not possible, as user accounts are currently "locked down".

In the case of consumer accounts, the company is in the proces of sending out emails to users with a prompt to change their master password, saying they "do not need to update [it] until you see our prompt".

Advertisement - Article continues below

LastPass has also advised that "because encrypted user data was not taken, you do not need to change your passwords on sites storeg in your LastPass vault", except in cases where they are the same as the master password.

For its enterprise customers, LastPass told IT Pro that it had contacted administrators by email on Monday evening, adding "in the interest of sevurity, we continue to advise our enterprise admins to enable the 'Master Password Strength' policies, as well as multifactor authentication.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now


data breaches

Printing company exposes 343GB of sensitive military data

20 Mar 2020

How to protect against a DDoS attack

25 Oct 2019
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019

Most Popular


Apple confirms serious bugs in iOS 13.5

4 Jun 2020

The UK looks to Japan and South Korea for 5G equipment

4 Jun 2020

Tycoon ransomware discovered using Java image files to target software firms

5 Jun 2020