In-brief: LastPass, the keeper of passwords for millions of security conscious Internet users said on Monday that its own systems were breached by hackers.
LastPass, the keeper of passwords for millions of security conscious Internet users has admitted that its own systems were breached by hackers, who made off with customer e-mail addresses, stored password reminders and unique password “hashes.”
The company issued the alert on Monday, saying that it first became aware of the breach on Friday, June 12, when the company “discovered and blocked suspicious activity on our network.” LastPass maintains that it has no evidence that its customers data – the encrypted passwords stored in each account’s user vault – was taken. It also claims that user accounts were not accessed in the attack. Still, the company is imposing additional security measures on account login attempts from new IP addresses, according to a post by CEO Joe Siegrist on the LastPass blog.
No information was provide on how the company’s network was compromised or how much data may have been exposed.
Siegrist advised LastPass customers with weak master passwords securing their vault to update it immediately – especially if the same password is used for other online services (a big no-no).
However, Siegrist said that the company does not believe that users need to update passwords stored in their LastPass vault. The company, he noted, strengthens the authentication hash – which it uses to protect passwords – with a “random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side.” All that additional entropy makes it “difficult to attack the stolen hashes with any significant speed,” he said. Still: Siegrist advised customers who had not done so to enable two factor authentication to protect their account.
LastPass has a reputation for transparency and top-tier security. Still, the company is a rich target for malicious actors, and this isn’t the first time LastPass has been the victim of an attack. In May, 2011, the company acknowledged that hackers compromised its database and made off with customer account information.
Security experts say that the breach could pose risks for LastPass customers even without unencrypted password values. “The fact that the attackers are now armed with a list of LastPass users by e-mail means that we may see some targeted phishing campaigns, presenting users with fake ‘Update your LastPass master password’ links,” said Tod Beardsley, a security engineering manager at the security firm Rapid7 in a statement. “Further direct communication from LastPass to their users about this breach should be welcome, it should be treated with suspicion if there are any embedded links and calls to action,” Beardlsey warned.