In a blog post by Joe Siegrist, the company’s founder and CEO wrote, “We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network.”
LastPass, a frequently used add-on
LastPass is a popular password manager add-on that can be installed on browsers, smart-phones and more devices wherein users access emails and other services that require a security verification, usually in the form of a password.
Here’s how LastPass works:
- LastPass users set up one master password that grants them access to a vault of all their individual passwords, those that are encrypted and stored in LastPass’ servers.
- While the servers hold a list of all of LastPass users’ passwords, they are extremely hard to crack by hackers since they’re encrypted to begin with.
- LastPass itself has no means to access its users’ passwords as the encryption and decryption process for each password occurs on the users’ devices. Essentially, LastPass or any hacker gaining access to LastPass servers have no access to any plain (non-encrypted) passwords of its users.
The hackers’ bounty
Siegrist noted that, “The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”
As LastPass does not store user passwords, the initial password entered is put through one-sided encryption, initiated by the user, with the password being put through a hashing algorithm that’s stored in the LastPass servers. Whenever a password is entered subsequently, the hashing algorithm of the password must match the same values as that stored by LastPass. These are immensely hard to crack and unless hackers know the exact algorithm used by LastPass, these hashed passwords are seldom cracked.
Siegrist added further in this regard in his blog post, elaborating in the matter: “In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed.”
Furthermore, it was made clear in the blog post notice, with Siegrist stating, “We are confident that our encryption measures are sufficient to protect the vast majority of users.”
In order to limit damages and fixing the breach, LastPass has advised users to change their master password if it was weak to begin with. It is also recommended by LastPass to implement multi-factor authentication, a security feature that is recommended by many major technology companies including Google, with its Google Authenticator add-on that improves security for many popular Google services including Gmail etc.
If you’re a LastPass user, changing every password within your vault isn’t necessary. Changing your master password into a stronger, secure one is highly recommended.