LastPass users urged to change master password following hack attack

Oh, the irony

Popular password management service LastPass was hacked on Friday, the company has revealed.

In a company blog post published Monday, the service claims that it found no evidence that encrypted user vault data was taken, nor that LastPast user accounts were accessed.

However, Last Pass account email addresses, password reminders, server per user salts and authentication hashes were confirmed to have been compromised.

The combination of the first two could be particularly useful for hackers looking to break into specific online services.

Deja vu

It's not first time that the service has suffered a security snafu. In 2011 LastPass claimed that an anomaly in the site's incoming and outgoing network traffic could, theoretically, have been a hack, placing details of more than a million customers at risk.

To mitigate any security risks, LastPass is requiring all users that are logging in from a new device or IP address to verify their account by email (unless they have multi-factor authentication enabled) and change their master password.

That will not solve the decade-old issue of spoof emails. Expect a whole raft of fake LastPass emails to hit customers with their correct password reminders before urging them to sign into a new account.


Editor, TechRadar Pro

Désiré (Twitter, Google+) has been musing and writing about technology since 1997. Following an eight-year stint at where he discovered the joys of global techfests, developing an uncanny attraction for anything silicon, Désiré now heads up TechRadar Pro.