In a blog post shared today, LastPass has posted the following.
We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.
Emphasis added to a few key points by me. Of course you’ll have to visit the link at the top to read the entire thing in full. But the main thing is the passwords for your various logins that you enter into LastPass are safe. It’s only the Master Password that they’re recommending you change and they’re doing that on a “we think you’re safe but let’s play it smart and change it anyway” note.
This isn’t the devastating kind of hack that has taken place quite a bit over the past few years but it is annoying nonetheless. I say this as someone who uses LastPass.
You can visit the link to directly change your password here, although you may run into issues as I did.
I personally use a Master Password that is ridiculously long, but I’ll be changing it nonetheless because better safe than sorry.
I really feel like a jerk being the one who has to break news like this semi regularly to you all. On the bright side I am hopefully saving all of you trouble down the line by making you aware of these things as soon as I find out about them.