Password manager LastPass disclosed today that its network was breached and advised users to change their master passwords and enable multifactor authentication.
CEO and founder Joe Siegrist said in a security notice that LastPass on Friday discovered suspicious activity on its network; encrypted user vault data was not taken, Siegrist said, nor were user accounts accessed. The attackers, however, did compromise LastPass account email addresses, password reminders, per-user salts, and authentication hashes.
“We are confident that our encryption measures are sufficient to protect the vast majority of users,” Siegrist said.
Salt, or random data, is added to passwords which are then hashed cryptographically. The use of salt is supposed to make it exponentially more difficult to launch dictionary-based brute-force attacks, for example.
“LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side,” Siegrist said. “This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
Despite the attackers having accessed the salts and hashes, Paul Moore, a UK-based researcher, downplayed the risks.
“Salts aren’t meant to be secrets, and if [the] hashes are as strong as they say, there’s virtually no risk with strong passwords,” he told Threatpost.
Tod Beardsley, security engineering manager at Rapid7, pointed out that since the attackers don’t seem to have access to the passwords encrypted with the master, the stolen account email addresses may pose a more immediate risk.
“The fact that the attackers are now armed with a list of LastPass users by e-mail means that we may see some targeted phishing campaigns, presenting users with fake ‘Update your LastPass master password’ links,” Beardsley said. “So, while further direct communication from LastPass to their users about this breach should be welcome, it should be treated with suspicion if there are any embedded links and calls to action.”
LastPass is indeed in the process of notifying customers by email of the breach. Users on a new device or IP address will be required to verify accounts via email, unless multifactor authentication is enabled.
“If you have a weak master password or if you have reused your master password on any other website, please update it immediately. Then replace the passwords on those other websites,” Siegrist said. “Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault.”
LastPass, like some other password managers, is a browser-based tool that encrypts and decrypts data on the device before communicating with LastPass servers. Once the tool is downloaded, a user creates an account with their email address and a master password. As the user accesses online services, they are able to save log-in information, generate passwords and save profiles in the tool, including payment card information. LastPass offers free, as well as premium and enterprise versions of its product.
Password managers are juicy targets for hackers since they present a single point of access to numerous online accounts. Last summer, LastPass avoided trouble when it patched two security vulnerabilities that could have allowed attackers to target particular users and generate one-time passwords. During that week, a paper from the University of California Berkeley exposed critical vulnerabilities in not only LastPass, but also RoboForm, My1Login, PasswordBox and NeedMyPassword.