LastPass says user account email addresses, password reminders, server per user salts, and authentication hashes compromised.

Dark Reading Staff, Dark Reading

June 16, 2015

1 Min Read

The ongoing password migraine continues: popular cloud-based password management service LastPass yesterday said it had suffered a data breach, exposing user account email addresses, password reminders, server per use salts, and authenication hashes. The company said it has "no evidence" that encrypted user vault data was stolen, however.

"We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed," LastPass said in a post on its website.

Customers of the service who are not using multifactor authentication for LastPass must now verify their accounts via email when logging in from a new device or IP address. LastPass also will alert users to update their master password.

"You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites," LastPass said. "Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault."

Read more about the breach here

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights