Skip to main content

LastPass users urged to change master password following hack attack


Popular password management service LastPass was hacked on Friday, the company has revealed.

In a company blog post published Monday, the service claims that it found no evidence that encrypted user vault data was taken, nor that LastPast user accounts were accessed.

However, Last Pass account email addresses, password reminders, server per user salts and authentication hashes were confirmed to have been compromised.

The combination of the first two could be particularly useful for hackers looking to break into specific online services.

Deja vu

It's not first time that the service has suffered a security snafu. In 2011 LastPass claimed that an anomaly in the site's incoming and outgoing network traffic could, theoretically, have been a hack, placing details of more than a million customers at risk.

To mitigate any security risks, LastPass is requiring all users that are logging in from a new device or IP address to verify their account by email (unless they have multi-factor authentication enabled) and change their master password.

That will not solve the decade-old issue of spoof emails. Expect a whole raft of fake LastPass emails to hit customers with their correct password reminders before urging them to sign into a new account.