The sad truth of keeping a presence on the Internet today is that you’ll most likely have to change your password at some point due to a hack. That’s where services like LastPass swoop in to rescue you by providing you a way to use a safe, secure password across all of your accounts. But what if LastPass gets hacked? Particularly by that Ringwraith you see typing away above.
That’s just what happened on Friday, meaning you’ve probably been asked to change your master password by this point if you use the service. LifeHacker reports that the service released a statement saying they have noticed suspicious behavior and that some user data (nothing secure, thankfully) was taken during the intrusion:
We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.
So if you haven’t done that, you might want to go make an attempt at a change. Lifehacker does note that the LastPass site is a little sluggish due to the activity, so you probably want to keep your patience in hand. Obviously nothing is entirely safe, but that doesn’t mean you shouldn’t let this go or ignore it for too long. Some data was taken and it’s better to be safe than sorry.