These days, it appears as if no one is safe from hackers. Just a week after the security firm Kaspersky announced that they had been hacked comes word that LastPass, a password security company, has been hacked as well.
LastPass, for those unfamiliar with the service, operates as a secure vault for all of a user’s sensitive Internet passwords. The way it works is rather simple: users select a master password for the LastPass website, and once authenticated, they can then access all of their other passwords.
Of course, any time there’s a site whose business model revolves around the storage of sensitive passwords, it’s a safe bet that hackers will do their best to break in, which is exactly what happened this past weekend.
In a blogpost detailing the recent security compromise, Joe Siegrist of LastPass writes that “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”
Nonetheless, because the information on LastPass’ servers is heavily encrypted, Siegrist writes that it’s extremely unlikely that the hackers will be able to do much with what they uncovered.
“We are confident that our encryption measures are sufficient to protect the vast majority of users,” Siegrist writes. “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
Naturally, LastPass will be requiring its customer base to update their master password as a precautionary measure. To be clear, encrypted passwords for other sites which reside in LastPass’ vault were not taken during the security breach, which is to say that users only need to change their master password.
A security breach is never good news, but when it does happen, it’s nice to see a company get out in front of it and be as transparent as possible, as LastPass has been with this most recent incident.