PASSWORD MANAGEMENT SERVICE LastPass has advised users to change their passwords (lol) after hackers infiltrated its network.
LastPass is, ironically, a service that helps users keep their many passwords secure. The firm admitted on Monday that it discovered some suspicious activity on its network last week, which led to the discovery that some users' email addresses, password reminders and authentication hashes were compromised.
However, the firm noted that no encrypted data was taking during the attack.
LastPass CEO Joe Siegrist said in a security notice on the firm's website: "We want to notify our community that on Friday our team discovered and blocked suspicious activity on our network.
"In our investigation, we have found no evidence that encrypted user vault data was taken, or that LastPass user accounts were accessed.
"We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side."
LastPass advises users who log-in from a new device or IP address to verify their account by email.
Users are also being advised to change their master passwords, along with any other passwords that are the same as this. But, as security expert Graham Cluley pointed out (below), this might not be as easy as it sounds.
Siegrist added: "Security and privacy are our top concerns here at LastPass. Over the years, we have been and continue to be dedicated to transparency and proactive measures to protect our users.
"In addition to the above steps, we're working with the authorities and security forensic experts."
Commenting on the hack, Chris Boyd, malware intelligence analyst at Malwarebytes, said: "The biggest cause for concern in the immediate aftermath of the LastPass breach is 'easy to guess' password reset questions and password reuse across multiple websites.
"If you've reused your LastPass Master Password anywhere else, you must change it immediately. If you're still happy to use LastPass after this attack, you must ensure you're using some of the many security options available, which include two-factor authentication and 'allow or deny' logins by geographical region.
"Many of those affected could say 'Enough is enough' and go back to storing passwords on the desktop. While that works for some people, too many would probably fail to consider the security risks brought on by such actions."
LastPass last had a security scare in 2011, when it was also forced to advise users to change their password. µ
Watch your back, Huawei
Porn-based prattery gets fisted
As long as it follows the rules
The Home in the home could be a legal minefield