The company encouraged all its users to change their master password as a precautionary measure. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed.
“We are confident that our encryption measures are sufficient to protect the vast majority of users”, the notice read.
LastPass employs per user salts, which means an attacker would have to attempt to crack each encrypted master password individually.
LastPass refused to comment on the timing of when the breach first occurred or what kind of attack method was used, as LastPass’ investigation is still ongoing with the help of federal authorities and third-party experts.
That sounds good, but it’s not good enough. The way it works is rather simple: users select a master password for the LastPass website, and once authenticated, they can then access all of their other passwords.
So what is a “weak password?” All password managers-online and offline-have a single point of vulnerability, your master password (and, possibly, what you use for your second factor in the two-factor authentication security) As the breach shows, though, the more walls you have between your password data and outsiders, the better. Information at risk, the researcher said, included e-mail addresses, password reminders, the list of sites users logged into, and the time, dates, and IP addresses of those logins. LastPass, our favorite password manager (and yours) has been hacked.
Others complained of problems when trying to change their master passwords, or being locked out of their accounts after making the change.
With a password manager, you don’t end up with repetitious and guessable passwords like mikenyt, mikeicloud and mikegmail for your New York Times, Apple and Google accounts respectively. The latter is what’s used to tell LastPass that you have permission to access your account. The company was readily able to block the suspicious activity detected last week.
In addition, LastPass servers are over-loaded.
It is possible that criminals will use this incident in order to get you to reveal your LastPass credentials. Others made it a bit farther and are getting messages such as: “Oops! Please try your password change again shortly, we will catch up soon”.
p style=”text-align: center;”>