Change Your Passwords! LastPass Succumbs To Cyberattackers

The parade of banks, insurance companies and retailers that have suffered data breaches has caused many people to store their passwords with sites like LastPass. The security company creates a unique password for each of the user’s logins and provides access to those passwords via a single, master password.

Now, LastPass is admitting that at least some of its data has been comprised. The company believes that its customers are not vulnerable, but it concedes that email addresses and authentication hashes are among the data affected. Password reminders and server per user salts were also comprised.


“In our investigation, we have found no evidence that encrypted uer vault data was taken, nor that LastPass user accounts were accessed,” said LastPass CEO Joe Siegrist in a blog post. “The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”

Although LastPass hasn’t found any evidence of user accounts having been accessed, it’s asking users to update their master passwords. That may be trickier than it sounds, because LastPass has simultaneously tightened its password-changing procedures. Anyone logging in from a new device will need to verify their identity, usually by email.

LastPass hack notification
A portion of the LastPast blog post about the breach.

The real question here is how much time the attacker has had to work on the password hashes. Users who have been using weak master passwords will be more vulnerable, but whether you think you’re a password guru or not, updating your master password with LastPass is a must. The company is sending emails to its users now with password-changing instructions.