Those are three words every LastPass and every password keeper app user never ever want to hear.
LastPass is one of the most popular password safe apps. Users store all of their passwords for various services on the LastPass platform and then use one strong master password to gain access to their LastPass account on the LastPass servers.
Earlier in the day, LastPass took to their blog to report that they had been hacked late last week.
“We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.” LastPass said on their blog.
LastPass went onto say that this wasn’t the hack of all hacks and a lot of their user data is still very safe and secure. “We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.” the company said.
They do want to make extra certain that all of their user data is safe so if you use LastPass and don’t have two factor authentication set up, you will need to validate your account via email. You’ll also have to update your master password.
Finally, they report that encrypted user data was not taken so there is no need to go internet wide and change all your passwords, only your master password for LastPass.
If you have more questions about the hack there is an FAQ under this blog post.