Click to Skip Ad
Closing in...

Leading password security company gets hacked; customers advised to change their master passwords

Published Jun 15th, 2015 6:12PM EDT
LastPass Security

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

These days, it appears as if no one is safe from hackers. Just a week after the security firm Kaspersky announced that they had been hacked comes word that LastPass, a password security company, has been hacked as well.

DON’T MISS: Two years after its epic E3 blunders, Microsoft is suddenly stomping all over Sony

LastPass, for those unfamiliar with the service, operates as a secure vault for all of a user’s sensitive Internet passwords. The way it works is rather simple: users select a master password for the LastPass website, and once authenticated, they can then access all of their other passwords.

Of course, any time there’s a site whose business model revolves around the storage of sensitive passwords, it’s a safe bet that hackers will do their best to break in, which is exactly what happened this past weekend.

In a blogpost detailing the recent security compromise, Joe Siegrist of LastPass writes that “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”

Nonetheless, because the information on LastPass’ servers is heavily encrypted, Siegrist writes that it’s extremely unlikely that the hackers will be able to do much with what they uncovered.

“We are confident that our encryption measures are sufficient to protect the vast majority of users,” Siegrist writes. “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”

Naturally, LastPass will be requiring its customer base to update their master password as a precautionary measure. To be clear, encrypted passwords for other sites which reside in LastPass’ vault were not taken during the security breach, which is to say that users only need to change their master password.

A security breach is never good news, but when it does happen, it’s nice to see a company get out in front of it and be as transparent as possible, as LastPass has been with this most recent incident.

Yoni Heisler Contributing Writer

Yoni Heisler has been writing about Apple and the tech industry at large with over 15 years of experience. A life long expert Mac user and Apple expert, his writing has appeared in Edible Apple, Network World, MacLife, Macworld UK, and TUAW.

When not analyzing the latest happenings with Apple, Yoni enjoys catching Improv shows in Chicago, playing soccer, and cultivating new TV show addictions.