LastPass Password Manager Acknowledges Breach
Joe Siegrist, the LastPass chief executive, said the company discovered the breach on Friday after detecting suspicious activity on its network. The company said that it found no evidence that LastPass user accounts were compromised, or that hackers were able to get users’ master passwords, or passwords encrypted with that user password.
But the data hackers did access – including email addresses and password reminders – is still troubling, security experts note, in that often all hackers need to unlock an email account is an email as a username plus a password reminder.
Tod Beardsley, a security engineering manager at Rapid7, said that the attack gave hackers a list of LastPass user email addresses that they could target in so-called phishing attacks, in which they send victims emails with links that try to trick users into revealing more data, like a fake “Update your LastPass master password” email, that can be used to crack their accounts.
LastPass said it would be resetting users’ master passwords, and advised users to turn on multifactor authentication, an added security measure which requires a second one-time password, often sent to users via text message, anytime they log in to their accounts from an unrecognized machine.
The company said it was confident that its encryption measures would be enough to protect the vast majority of its users. LastPass strengthens the keys needed to unlock master passwords by forcing them to go through a large number of complicated iterations. The company appends random digits to the key, then encrypts it more than 100,000 times, which makes it difficult to break stolen hashes with password cracking tools.
The attack was the second breach notification from LastPass. The first incident happened four years ago. The latest attempt to access the company’s passwords was discovered on Friday, but a picture posted to Imgur, the image sharing site, of a Google security warning suggests that hackers may have found a way inside the service as long as three weeks ago.