Master password firm LastPass suffers data breach

LastPass has suffered a data breach in which hackers carried off email addresses and password reminders belonging to its users, the company revealed on Monday.

Hackers were able to break into the systems of the firm, which offers a master password service for all of its users’ online accounts, leading to the compromising of authentication hashes, which ensure messages have not been tampered with.

Joe Siegrist, chief executive of LastPass, wrote online: "We are confident that our encryption measures are sufficient to protect the vast majority of users.

"LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side [key deriving function] PBKDF2-SHA256, in addition to the rounds performed client-side.

"This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."

As well as addressing the authentication process LastPass is also requiring email verification or multifactor authentication – which often entails the use of a one-time code sent to a user’s mobile – for people trying to access accounts from a new device or IP address.

Users will also be asked to change their master password as an additional precaution, though there is no suggestion that passwords have been taken in the attack.

"Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault," Siegrist said. "As always, we also recommend enabling multifactor authentication for added protection for your LastPass account."

Tod Beardsley, security engineering manger at the vendor Rapid7, said: "Breaches happen, and the difference in sustained damage usually comes down to skilled incident response.

"I’m sure an organisation like LastPass drilled on this kind of event before last weekend, so I’m confident they’ll be able to contain and communicate the full extent of the breach."

However he added that users should be wary of clicking links from emails appearing to be from LastPass in the wake of the breach, and instead should access the service through their usual bookmarks.