LastPass hacked - what you should do

LastPass hackers make off with password management data

Popular password management service LastPass has been hacked, with the attackers stealing user data.

The company said it detected the intrustion when it spotted and blocked suspicious activity in its network.

While the company said it has found "no evidence that encyrpted user vault data was taken, nor that LastPass user accounts were accessed", users' email addresses and password reminders, as well as server per user salts and authentication hashes have been swiped.

In a blog post, Joe Siegrist, CEO and founder of LastPass, sought to reassure users, saying: "We are confident that our encryption measures are sufficient to protect the vast majority of users."

"LastPass strengthens the authentication hash with a random salt and 100,000 rounds of [advanced encryption techniques] PBKDF2-SHA256, in addition to the roundsperformed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed," Siegrist added.

A number of security firms, including AlienVault, Malwarebytes and Rapid7 have commended LastPass for coming forward and notifying the public of the attack, and for the proactive processes it had in place to detect the intrusion.

However, they have also wanred of several secondary security issues that could arise from the hack.

"The biggest cause for concern in the immediate aftermath of the LastPass breach is 'easy to guess' password reset questions and password reuse across multiple websites," said Malwarebytes analyst Chris Boyd.

"If you're still happy to use Last Pass after this attack, you must ensure you're using some of the many security options available, which include two-factor authentication and 'allow or deny' logins by geographical region," he added.

Tod Beardsley, security engineering manager at Rapid7, warned: "The fact that the attackers are now armed witha  list of LastPass users by email means that we may see some targeted phishing campaigns, presenting users with fake 'update your LastPass master password' links."

"So, while further direct communication from LastPass to their users about this breach should be welcome, it should be treated with suspicion if there are any embedded links and calls to action," he added.

What to do if you are a LastPass user

Normally in situations like this, the first thing you are told to do is go in and change your password. However, this is currently not possible, as user accounts are currently "locked down".

In the case of consumer accounts, the company is in the proces of sending out emails to users with a prompt to change their master password, saying they "do not need to update [it] until you see our prompt".

LastPass has also advised that "because encrypted user data was not taken, you do not need to change your passwords on sites storeg in your LastPass vault", except in cases where they are the same as the master password.

For its enterprise customers, LastPass told IT Pro that it had contacted administrators by email on Monday evening, adding "in the interest of sevurity, we continue to advise our enterprise admins to enable the 'Master Password Strength' policies, as well as multifactor authentication.

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

Tens of thousands of Pennsylvanians health data exposed following data breach
data protection

Tens of thousands of Pennsylvanians health data exposed following data breach

4 May 2021
Cost of a data breach report 2020
Whitepaper

Cost of a data breach report 2020

30 Apr 2021
Reverb exposes 'millions' of customer records on unsecured server
data protection

Reverb exposes 'millions' of customer records on unsecured server

27 Apr 2021
Hackers sell $38 million in gift cards on Russian marketplace
hacking

Hackers sell $38 million in gift cards on Russian marketplace

7 Apr 2021

Most Popular

Dell patches vulnerability affecting hundreds of computer models worldwide
cyber security

Dell patches vulnerability affecting hundreds of computer models worldwide

5 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021