The administrators of password manager LastPass today announced that hackers obtained personal data from their servers. According to LastPass the stolen data does not contain password archives but the compromised data does contain email addresses and password reminders.
The hack was discovered last Friday by the system administrators of LastPass. After investigation LastPass concludes that no encrypted passwords or LastPass accounts were stolen but that nevertheless other sensitive data was captured. This includes email addresses, password reminder, user salts and authentication hashes.
According to LastPass their encryption on its server is strong enough to protect the password data of all users against e.g. brute force attacks. The service uses PBKDF2-SHA256 encryption on its servers, and also passwords on the clientside are encrypted. LastPass also claims that authentication hashes are generated based on a random salt.
Nevertheless LastPass warns, especially users with a weak master password for their password archive, to change the password as soon as possible. Also users that use the same password on other websites are recommended to change passwords everywhere they use it. As a precaution all new login attempts of unknown IP addresses or a new devices have to be verified additionally by email, unless two factor authentication has been enabled. Also the master password has to be changed in that case.
LastPass apologizes for the incident and the additional work required for users but promises to be as transparent as possible about the hack. The company also states it's working with the authorities and security forensic experts on further investigating the hack.
