The master password service LastPass has posted on its blog stating that it noticed and blocked suspicious activity on its network on Friday. LastPass claims that no encrypted user Vault data was taken however, LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
LastPass is politely telling users not to panic or necessarily change their passwords because they trust their level of encyrption since it uses an authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256.
Users who will try to login into their LastPass accounts on new devices and IP addresses will be asked to verify their accounts by email except for those who have two factor authentication enabled.
[quote_center]
If you have a weak master password or if you have reused your master password on any other website, please update it immediately. Then replace the passwords on those other websites.
Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account. – LastPass
[/quote_center]
It is embarrassing for a service that is aimed at giving users the comfort of security being compromised, but hey it technology and almost everything can be broken into.
