Welcome to WebmasterWorld Guest from 34.229.24.100

Forum Moderators: phranque

Message Too Old, No Replies

LastPass Hacked: Time to change your master password

     
12:54 am on Jun 16, 2015 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts:15149
votes: 170


https://blog.lastpass.com/2015/06/lastpass-security-notice.html/ [blog.lastpass.com]

LastPass Security Notice

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
...
We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.

The suggestion is to wait until LastPass sends you an e-mail and prompts you to change your master password.

Although this is a somewhat worrying event I'm not too concerned about the contents of my password database as it's an encrypted blob and I've limited access to my account to only a few trusted IPs. Everyone should also have two-factor authentication turned on.
9:17 am on June 17, 2015 (gmt 0)

New User

joined:May 27, 2015
posts:25
votes: 0


Good thing I'm not using LastPass. Man, news articles like these really put a damper on everyone...
9:17 pm on June 17, 2015 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts:15149
votes: 170


Not sure you understand the situation. Heavily encrypted hashes of master passwords may have been accessed (LastPass doesn't know your password). As a precaution they're advising people simply to change their master passwords. Even if you ignored this advice it would be extremely difficult for anyone to crack what might have been accessed.