LastPass Hack : What You Need to Know

LastPass was hacked over the weekend.  Before we get started I would suggest that anyone using LastPass first read the company’s security notice which was posted yesterday.  You can also expect to receive an email asking that you change your master password.  LastPass is confident that the data breach didn’t expose your encrypted passwords.  If you happen to use your master password for other sites as well then you will want to change them as soon as possible.  Don’t wait to see what happens.  Secure your accounts by changing passwords.

We are writing this post based on the information received from LastPass.  If more details come to light in the days to come we will make sure to update our post.  Keep an eye on the LastPass site moving forward and as always don’t hesitate to contact their support.  I’m sure they are getting plenty of questions from concerned users right now.

Here is what you need to know.  LastPass discovered suspicious activity on their network last Friday, June 12th and took action to block it.  Since that time the company has investigated and does not believe encrypted user vault data or user accounts were taken.

Here’s a list of information that LastPass confirms was exposed during the data breach:

  • LastPass account email addresses
  • Password reminders
  • Server per user salts
  • Authentication hashes

The LastPass team feels confident that your stored passwords are secure.  Here’s part of their message from the security notice:

We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.

The LastPass team may feel confident that the breach won’t lead to users passwords but they are still taking additional precautions.  For starters they will require email confirmation for anyone trying to log into a LastPass account with a new device or IP address.  That will not apply for those who use multifactor authentication.  They are also prompting users to change their master password for the account.

That is everything we know about the LastPass breach right now.  Once again we’ll continue to update the post with the latest information.  I highly recommend LastPass users stay informed on the issue in case more action is required.  My goal isn’t to debate whether or not cloud services put you at risk.  I personally think that services like LastPass are providing a nice benefit over today’s alternatives.  However, I do have one recommendation for anyone using LastPass.  Add multifactor authentication to your account.  It’s easy to do and will help protect your data from future breaches.  You have several free options to choose from:

  • Google Authenticator
  • Duo Security Authentication
  • Toopher Authentication
  • Transakt Authentication
  • Microsoft Authenticator App
  • Grid Multifactor Authentication

Along with some hardware authenticators that are well worth considering:

  • Yubikey Multifactor Authentication
  • Fingerprint Authentication
  • Sesame Multifactor Authentication
  • Smart Card Authentication
  • RSA SecurID
  • Salesforce#

I recommend having an extra factor of authentication for any website you use that contains sensitive information.  That includes anything from financial institutions to popular online games.  It only takes a few seconds to enter an authenticator code each time you log in.  The little bit of extra effort is well worth it.