CEO Joe Siegrist released a statement late yesterday, revealing that account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
“We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”
Some details about how LastPass encrypts data were also described in the blog post:
“LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed”
In an effort to ensure passwords are further protected, LastPass is “requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multi-factor authentication enabled,”
“As an added precaution, we will also be prompting users to update their master password”, Siegrist added.
If you use the same password for your LastPass account on any other websites, then LastPass recommends that you act quickly and get those changed. If your LastPass password is unique, however, then you will not need to change any other passwords as they’re certain that vault details are not at risk.
This story will be updated as more details become available. Subscribe to the Daily Sentinel to ensure that you don’t miss anything.