LastPass hacked - what you should do

LastPass hackers make off with password management data

Popular password management service LastPass has been hacked, with the attackers stealing user data.

The company said it detected the intrustion when it spotted and blocked suspicious activity in its network.

While the company said it has found "no evidence that encyrpted user vault data was taken, nor that LastPass user accounts were accessed", users' email addresses and password reminders, as well as server per user salts and authentication hashes have been swiped.

In a blog post, Joe Siegrist, CEO and founder of LastPass, sought to reassure users, saying: "We are confident that our encryption measures are sufficient to protect the vast majority of users."

"LastPass strengthens the authentication hash with a random salt and 100,000 rounds of [advanced encryption techniques] PBKDF2-SHA256, in addition to the roundsperformed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed," Siegrist added.

A number of security firms, including AlienVault, Malwarebytes and Rapid7 have commended LastPass for coming forward and notifying the public of the attack, and for the proactive processes it had in place to detect the intrusion.

However, they have also wanred of several secondary security issues that could arise from the hack.

"The biggest cause for concern in the immediate aftermath of the LastPass breach is 'easy to guess' password reset questions and password reuse across multiple websites," said Malwarebytes analyst Chris Boyd.

"If you're still happy to use Last Pass after this attack, you must ensure you're using some of the many security options available, which include two-factor authentication and 'allow or deny' logins by geographical region," he added.

Tod Beardsley, security engineering manager at Rapid7, warned: "The fact that the attackers are now armed witha  list of LastPass users by email means that we may see some targeted phishing campaigns, presenting users with fake 'update your LastPass master password' links."

"So, while further direct communication from LastPass to their users about this breach should be welcome, it should be treated with suspicion if there are any embedded links and calls to action," he added.

What to do if you are a LastPass user

Normally in situations like this, the first thing you are told to do is go in and change your password. However, this is currently not possible, as user accounts are currently "locked down".

In the case of consumer accounts, the company is in the proces of sending out emails to users with a prompt to change their master password, saying they "do not need to update [it] until you see our prompt".

LastPass has also advised that "because encrypted user data was not taken, you do not need to change your passwords on sites storeg in your LastPass vault", except in cases where they are the same as the master password.

For its enterprise customers, LastPass told IT Pro that it had contacted administrators by email on Monday evening, adding "in the interest of sevurity, we continue to advise our enterprise admins to enable the 'Master Password Strength' policies, as well as multifactor authentication.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Capcom data breach adds another 40,000 estimated victims
data breaches

Capcom data breach adds another 40,000 estimated victims

13 Jan 2021
Parler suffers data leak before being taken offline
social media

Parler suffers data leak before being taken offline

12 Jan 2021
United Nations suffers potential data breach
data breaches

United Nations suffers potential data breach

11 Jan 2021
Misconfigured Git servers lead to Nissan data leak
hacking

Misconfigured Git servers lead to Nissan data leak

7 Jan 2021

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021