Password-storing cloud biz LastPass is urging its users to change their master passwords after hackers broke into its network at the end of last week.
The intrusion reportedly happened on Friday afternoon, but many LastPass users are only learning about it now. LastPass last had a security scare in 2011.
"In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed," CEO Joe Siegrist said in a blog post on Monday. "The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."
As a result, the company is requiring all users who log in to the service from a new device or IP address verify their identities via email or two-factor authentication.
Users will also be prompted to reset their master passwords, and LastPass is reminding them that if they used their master passwords as a password on any other site, to change the passwords on those sites, too.
Lastpass password reset servers overloaded pic.twitter.com/9YfgSloI4N— Darren Pauli (@darrenpauli) June 15, 2015
Passwords to other sites that were stored on LastPass, however, aren't thought to have been compromised.
LastPass says it protects its authentication hashes with 100,000 rounds of server-side PBKDF2-SHA256 cryptography, which it says "makes it difficult to attack the stolen hashes with any significant speed."
Still, it's not impossible for someone brute-force the process and discover your master password. However, if your master password is complex, you should be safe – it will take an attacker far too long to crack your passphrase. Setting up two-factor authentication kills the problem dead, anyway.
"We are confident that our encryption measures are sufficient to protect the vast majority of users," Siegrist added.
Some LastPass users weren't pleased with how they found out about the breach. In comments posted to the company's website on Monday, many expressed dismay that they learned of the incident via Reddit, Twitter, and elsewhere, rather than via direct email from LastPass.
"What the hell guys?" one user who identified himself as "Ian" wrote. "I'm not annoyed that you got breached, I'm annoyed that as a paying customer, I found out about it via Facebook."
Others complained of problems when trying to change their master passwords, or being locked out of their accounts after making the change.
LastPass says that in addition to requiring users to use extra authentication steps and to change their master passwords, an email is being sent out to every user explaining the issue. ®