LastPass, the cloud-based password vault that keeps and stores users’ authentication credentials for all things online, has, you guessed it, been compromised.
While encrypted user vault data does not appear to have been accessed, LastPass account email addresses, password reminders, server per user salts and authentication hashes were compromised.
“We are confident that our encryption measures are sufficient to protect the vast majority of users,” said LastPass’ in a notice on the website. “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
He said that users do not need to change passwords on sites stored in your LastPass vault, but if they have weak master passwords or have reused master passwords on any other website, these should be updated immediately.
While details are skimpy, “what this means is that attackers seem to have all they need to start bruteforcing master passwords,” said Rapid7’s security engineering manager, Tod Beardsley, via email. “So far, the attackers do not seem to have access to the passwords encrypted with that master password. They incidentally have a list of LastPass users by e-mail address.”
Also, the fact that the attackers are now armed with a list of LastPass users by e-mail means that there could be some targeted phishing campaigns, presenting users with fake “Update your LastPass master password” links, he warned.
Devin Egan, co-founder and CTO of LaunchKey, told Infosecurity that the incident should make people rethink their authentication approaches in general.
“Password vaults in the cloud are potentially dangerous as a breach like this could expose every password to every site for a wide range of users,” he said. “As LastPass themselves recommend, users need to enable additional factors of authentication on these systems as protecting this data with a password alone is not secure. Unlike a site that stores passwords one-way hashed, a password manager encrypts the users' passwords with a way to decrypt them so they can be used later. Thus, LastPass's breached hashes and salts will be under attack and any successful crack could lead to a specific user without additional factors of authentication open to further data breaches.”