LastPass hacked - what you should do

LastPass hackers make off with password management data

Popular password management service LastPass has been hacked, with the attackers stealing user data.

The company said it detected the intrustion when it spotted and blocked suspicious activity in its network.

While the company said it has found "no evidence that encyrpted user vault data was taken, nor that LastPass user accounts were accessed", users' email addresses and password reminders, as well as server per user salts and authentication hashes have been swiped.

In a blog post, Joe Siegrist, CEO and founder of LastPass, sought to reassure users, saying: "We are confident that our encryption measures are sufficient to protect the vast majority of users."

"LastPass strengthens the authentication hash with a random salt and 100,000 rounds of [advanced encryption techniques] PBKDF2-SHA256, in addition to the roundsperformed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed," Siegrist added.

A number of security firms, including AlienVault, Malwarebytes and Rapid7 have commended LastPass for coming forward and notifying the public of the attack, and for the proactive processes it had in place to detect the intrusion.

However, they have also wanred of several secondary security issues that could arise from the hack.

"The biggest cause for concern in the immediate aftermath of the LastPass breach is 'easy to guess' password reset questions and password reuse across multiple websites," said Malwarebytes analyst Chris Boyd.

"If you're still happy to use Last Pass after this attack, you must ensure you're using some of the many security options available, which include two-factor authentication and 'allow or deny' logins by geographical region," he added.

Tod Beardsley, security engineering manager at Rapid7, warned: "The fact that the attackers are now armed witha  list of LastPass users by email means that we may see some targeted phishing campaigns, presenting users with fake 'update your LastPass master password' links."

"So, while further direct communication from LastPass to their users about this breach should be welcome, it should be treated with suspicion if there are any embedded links and calls to action," he added.

What to do if you are a LastPass user

Normally in situations like this, the first thing you are told to do is go in and change your password. However, this is currently not possible, as user accounts are currently "locked down".

In the case of consumer accounts, the company is in the proces of sending out emails to users with a prompt to change their master password, saying they "do not need to update [it] until you see our prompt".

LastPass has also advised that "because encrypted user data was not taken, you do not need to change your passwords on sites storeg in your LastPass vault", except in cases where they are the same as the master password.

For its enterprise customers, LastPass told IT Pro that it had contacted administrators by email on Monday evening, adding "in the interest of sevurity, we continue to advise our enterprise admins to enable the 'Master Password Strength' policies, as well as multifactor authentication.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download


Identity Automation launches credential breach monitoring service

Identity Automation launches credential breach monitoring service

5 Oct 2021
Neiman Marcus data breach hits 4.6 million customers
data breaches

Neiman Marcus data breach hits 4.6 million customers

4 Oct 2021
Telegram bots are out to steal your one-time passwords

Telegram bots are out to steal your one-time passwords

30 Sep 2021
What makes a password secure?

What makes a password secure?

28 Sep 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021