Bad news first, folks. LastPass, our favourite password manager has been hacked. It’s time to change your master password. The good news is that the passwords you have saved for other sites should be safe.
LastPass announced on its company blog that it had detected an intrusion on its servers. While encrypted user data (read: your stored passwords for other sites) was not stolen, the intruders did take LastPass account email addresses, password reminders, server per user salts, and authentication hashes. The latter is what’s used to tell LastPass that you have permission to access your account.
According to LastPass, the authentication hashes should be sufficiently encrypted to prevent anyone from using them to access your account. However, the company is still prompting all users to update their master password that they use to log in to their LastPass account. If you use LastPass, you should do this immediately. If you share that master password with any other services, you should change it there, too.
Finally, if you haven’t enabled two-factor authentication you should do that immediately here.
We’ve talked about what happens if LastPass gets hacked before. As it stands, it doesn’t seem that this hack resulted in any significant data losses for users. However, it’s still important to take steps necessary to protect your account as soon as you can.
LastPass Security Notice [LastPass]
Comments
One response to “LastPass Hacked, Change Your Master Password Now”
Bit hard to do it right now, they’re asking us to try again later. Can anybody recommend a good finger print reader?
I use the Yubi Key for 2FA. its cheap and easy to carry with you and works with LastPass. https://www.yubico.com/
If you’re security conscious you should already have 2-step auth with Google Authenticator or one of the many other supported apps and devices for Lastpass.
I just changed my password, although I wasn’t really concerned as I have 2-step already running.
Kudos to LastPass for detecting the intrusion in its network – presumably before the hackers were able to do more damage, or make away with the master password. Still, 2FA is definitely a must these days, and you should set it if you’ve not already donen so. – Paul Mah, commenting on behalf of IDG and FireEye.