According to the information posted on the blog, the company did not find evidence that LastPass user accounts were accessed or user vault data was downloaded. The company did not mention when it first noticed the breach but some users reported that they started to receive spam to email addresses used exclusively for the password manager account on June 8th.
LastPass' investigation confirmed that account email addresses, password reminders, server per user salts and authentication hashes were compromised.
The company, confident in the service's protective features, enabled additional security measures for the majority of accounts.
For instance, it requires all users to verify the account by email again if a new device or IP address is used to access the account. This is not the case for log ins on known devices or from known IP addresses, and also only the case if multi-factor authentication is not used.
In addition to that, users will receive prompts to update their master password.
The company is forthcoming with information. It sent emails to all users informing them about the security incident.
Since encrypted user data was not stolen, LastPass does not require users to change passwords for sites and services stored by the service in the cloud.
The information that were stolen may be used by the attackers to decrypt master passwords, especially if weak passwords were selected by users.
What you should do
Even though you may not receive prompts to change your master password, you may want to change it regardless of that. This can be done directly on the LastPass website for instance.
In addition, it is recommended to enable multifactor authentication for accounts to add a second layer of protection to them.
LastPass supports a variety of software and hardware based authentication options of which some are only available for premium users.
Once you enable the security feature, log ins require a second authentication step that is independent of the data stored by LastPass. For instance, you may use Google Authenticator, an application by Google, to create codes for the second login phase. Attackers would need access to your phone or mobile device Google Authenticator is running on to complete that step.
Apart from that, you need to make sure that you did not re-use your master password. If you did, it is recommended to change it immediately as well.
Last but not least, since attackers got hold of email addresses, you may receive spam emails or social engineering attacks that try to steal data from you directly.
The service suffered a breach back in 2011 as well which I was affected by. I made the decision back then to switch to the local password manager KeePass after changing hundreds of account passwords on the Internet.
Online password services are high profile targets for attackers as they store accounts for thousands or even millions of users.
Now You: Are you affected by the breach?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.