Hackers have broken into leading password manager LastPass for a second time in four years in an attack the firm said has potentially compromised a range of critical user data.
These include email addresses, password reminders, authentication hashes, and some of the ‘salting’ data that makes master passwords harder to attack, but not the encrypted passwords used to access websites.
The security warning put out by the company on Monday is a mixture of the reassuring and the downright worrying.
According to the email sent by LastPass CEO Joe Siegrist, the company had detected and blocked “suspicious network activity” last Friday which it later decided represented a data compromise.
“The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”
Important, however: “We have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed,” which means that the passwords users store for each website they access with LastPass is still safe.
“Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled.
As a precaution users will also be prompted to change the master password for their LastPass vault in due course, he said.
“Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.”
What does this boil down to? All users should change their master passwords immediately and not wait to be prompted, regardless of whether they also use two-factor authentication (e.g. using the Sesame application of a YubiKey token).
In addition, all users crazy enough to use the same master password for any of the accounts in their Vault should change those immediately. Although the encrypted Vault data was not taken during the attack, it might be wise to ensure that any critical passwords stored in LastPass (e.g. for a bank account) are also changed as a precaution.
Most important of all, regular users should consider enabling one of the platform’s range of two-factor authentication technologies. Upgrading to 2FA costs $12 per annum but is a useful extra layer of protection for any web-based system.
This is not the first time LastPass has been hacked in this way. Just over four years ago, the firm put out a similar warning about a potentially even more serious compromise in which attackers stole the firm’s database of user passwords. Although encrypted, attackers would in theory still have been able to pick off weak passwords within the database although no evidence emerged that this ever happened.
Sister title Techworld recently explained how to use YubiKey 2FA with Lastpass on a Chromebook. The technology can also be used on PCs.