In a blog post signed by Joe Siegrist, LastPass announced that it noticed suspicious activity on its network on Friday. After investigating the matter, the service provider found that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
LastPass is available on all platforms, and it provides services similar to those of 1Password: it prompts users for a strong master password that they need to remember and then helps them by generating and remembering other passwords that users need. To gain access to stored passwords, which are encrypted and stored on LastPass’ servers, users need to enter their master password.
What the LastPass hack means, according to Joe Siegrist: it is unlikely that the hackers got access to user passwords — due to the security measures the company takes to keep the passwords safe — but if a user has a weak password and/or uses the same password for another website, there is a possibility that the hackers could get access.
Nonetheless, we are taking additional measures to ensure that your data remains secure, and users will be notified via email. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.
While LastPass assured users that it is taking additional steps to protect user data, it strongly recommends that its users update their master passwords.