Popular online password vault provider LastPass has warned users to update their master account passwords after its network was hacked.
The company wrote a blog post to notify customers initially, before sending emails direct to users. The post said that the hack was discovered on Friday, when “our team discovered and blocked suspicious activity on our network”. An investigation discovered that while the hackers had not compromised encrypted user data, “account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”
In a direct followup email to customers, the company stated that it was “confident that the encryption algorithms we use will sufficiently protect our users”, but said that additional safeguards are being implemented in addition. “To further ensure your security, we are requiring verification by email when logging in from a new device or IP address.”
However, LastPass was keen to point out that the compromised data was not immediately usable to the hackers: “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
The Guardian reports that the company requested for users to update their master account password after the compromise.
Some LastPass users have responded to the news with requests for more information about the nature of the compromise, and details on how the company plans to prevent repeat attacks. However, several users posting on the company blog heralded the prompt disclosure of the attack, and praised LastPass for its stance on security.
This latest attack on the password highlights the importance of always following best security practice, while the industry continues to develop new and radical alternatives. Earlier this year, We Live Security's infographic outlined possible replacements for the password that could become dominant in future years.