Lass Pass suffered a network intrusion on Friday and is advising users to change their master password to avoid being hacked.
“In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed,” Joe Siegrist, CEO of Last Pass, said in a blog post on Monday. “The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”
Password salts and hashes help encrypt user passwords into strings of characters impossible to reverse â€“ at least in theory.
What can hackers do with your LastPass password?
Brute-force their way into accounts or deploy precision targeted phishing campaigns, such as prompting users with fake â€œUpdate your LastPass master passwordâ€ messages, for instance.
The company says encrypted data was not â€œtaken,â€ so, the account passwords stored via Last Pass are safe. Last Pass is also sure the attackers canâ€™t open cryptographically locked user vaults where their plain-text passwords are stored.
“We are confident that our encryption measures are sufficient to protect the vast majority of users,” Siegrist wrote. “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
PBKDF2-SHA256 is a password-strengthening algorithm that makes brute-forcing a slow and resource-intensive process.
Nonetheless, the company advises users who log in to the service from a new device or IP address to verify their identities via email or two-factor authentication.
Two-factor authentication is a security feature that requires users to confirm their identity by entering a code sent to a device after entering their credentials.