How many of you readers have been using Lastpass to generate and store all your passwords? Probably most. Well, you will probably not like what you’re about to hear.
According to Lastpass’ CEO Joe Siegrist, their systems got hacked last Friday. Based on their investigation they have no prominent evidence to believe that encrypted user data were stolen, but their audit has shown that LastPass account email addresses, password reminders, and master-password hashes were compromised.They feel nonetheless confident that their strong encryption algorithms will hinder hackers attempts to decrypt or for the lack of a better word crack their hashes.
“We are confident that our encryption measures are sufficient to protect the vast majority of users,” Siegrist added.
Lastpass is not unfamiliar with security breaches. The last time they faced such a problem was in 2011 were they reset users’ master passwords as a precaution following the discovery of a possible attack against its systems.
Although LastPass isn’t sure how hackers might have entered its network – if indeed that’s what happened – an assault based on an initial break-in via its Voice over IP system is the company’s best initial guess as to what might have gone wrong.
What made them suspicious was a traffic spike last Thursday on their backend database were master password hashes are stored. According to their engineers, they found out that more data were sent by their database than were received by their servers. Such activity could possibly indicate that hackers were extracting sensitive login credentials.
We want to alert our community to a recent security incident & the actions we’re taking to protect users
— LastPass (@LastPass) June 15, 2015
How serious is this situation?
These login credentials, although encrypted could leave users with small passphrases at risk of brute-force dictionary attacks.
According to Joseph Bonneau, a Stanford cryptography researcher who’s focused on password security, Lastpass reset its users passwords and notified security experts a couple of days after it found out about the attack. But if the attack took place before the official date -which was Friday-, it is possible that even stronger master passwords could have been compromised.
The potential damage here? Identity thieves might suddenly have access to important information such as email accounts, social media, banks, hospital records -everything.
For years, security experts have touted that using a password storage vault is the most secure way to go. Well, it seems that this isn’t a solution as well.
“The recommended standard best practice is to use a password manager. It’s the best way to deal with the tragedy of passwords,” said Jon Oberheide, from Duo Security.
What can clients do now?
Right now Lastpass has reset all of its users Master Passwords and requires email verification before they can log in and change them.
Bottom line: Go ahead and change your master password. With something really strong (not any of these). And don’t forget to enable second-factor authentication.
Have something to add to this story? Feel free to sound off in the comments’ section below.
