Users of the online password management service LastPass are being told to update their master passwords in light of "suspicious activity" detected on the company's network last week. However, the company said the incident is not believed to have compromised users' accounts or their encrypted data.
LastPass discovered the suspicious activity on Friday and took action to block it, according to a statement from company CEO Joe Siegrist. The company is also sending an e-mail to all users with further guidance on how to ensure the security of their accounts.
Users of the password management service are able to store and automatically access individual logins to numerous Web sites by syncing their online activities with LastPass. The service relies on encryption and the use of a master password to secure users' access to all of their individual passwords.
'No Evidence' Encrypted Data Taken
In a blog post on Monday, Siegrist said the company's investigation of suspicious network activity "found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed." However, he added the company did determine that "LastPass account e-mail addresses, password reminders, server per user salts, and authentication hashes were compromised."
Because LastPass uses a random salt -- a random string of data used to modify a password hash -- and 100,000-round server-side authentication to strengthen the authentication hash for its users, "the vast majority" of accounts should not have experienced stolen hash attacks, Siegrist noted. To ensure that user data remains secure, though, LastPass has recommended that customers update their master passwords after receiving an e-mail prompt from the company.
Any users who typed in their master passwords to access individual Web sites should also replace their single-site passwords, Siegrist noted. The company is also recommending that users enable multifactor authentication to provide additional account security.
Siegrist's blog post prompted more than 800 comments from LastPass users, many of whom expressed concern about trouble with changing their master passwords. LastPass noted that because user accounts are locked down, users can access their accounts only from trusted IP addresses or devices.
To log in from a new device or IP address, users must first verify their accounts via e-mail, unless they have already enabled multifactor authentication.
LastPass users' data were at minimal risk because of the company's strong, 100,000-round hashing routine, according to Jeremi Gosney, a password security expert at Stricture Group.
'No System 100% Secure'
The suspicious activity identified by LastPass "highlights the fact that no password system is 100 percent secure," said Ken Westin, senior security analyst at the cybersecurity firm Tripwire. "Often people can fall into a false sense of security with password managers forgetting that the password they use to unlock all of these accounts is just as likely to be stolen as any other password. The password used to protect your password manager should be a strong password that is not used with any other service."
Westin said that although password managers can be useful for things like social media accounts, however he would not trust them with passwords for banking or financial accounts. "But I am more paranoid than most," he said. "With the 'one-password-to-rule-them-all' approach users need to be aware that that master password needs to follow strong security guidelines, given that it can unlock all of your passwords you need to make sure at least 14 characters it is long and contain numbers and special characters and ensure that it not used on any other site."
Erin Styles, a spokesperson for LastPass, told us that all its users had now been informed of the security issue by e-mail. "We are still consulting with the authorities and security forensic experts on the nature of the attack," she said. "We do know the extent of the attack and are confident that this will not affect the security of user accounts."