LastPass has alerted its users that it suffered an attack, and that some of its users’ private information was compromised.
LastPass is a cloud-based password management service which centralises user password management using one master password.
The company said its team discovered and blocked suspicious activity on its network.
“In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed,” the company said.
However, the investigation has shown that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
LastPass said they are confident that their encryption measures are sufficient to protect the vast majority of users.
LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side.
This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
Nonetheless, the company is now taking additional measures to ensure that users’ data remains secure.
“We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled.”
“As an added precaution, we will also be prompting users to update their master password.”
He said users do not need to update their master password until they see the LastPass prompt.
“However, if you have reused your master password on any other website, you should replace the passwords on those other websites.”
Because encrypted user data was not taken, users do not need to change their passwords for sites stored in their LastPass vault.