LastPass is warning customers to change their master passwords as a result of recent suspicious activity on its network.
Though LastPass claims that the vault storing user passwords was not accessed, the company is warning users to change their master passwords. Last week the company detected some suspicious activity on the network, and was able to quickly block it. While they claim that no data was taken, and no accounts were accessed, the investigation did reveal some stuff was compromised. LastPass account email addresses, password reminders, server per user salts and authentication hashes fell victim to the attack.
The folks at LastPass are taking the security of everyone's account very seriously. From the company's blog post:
Nonetheless, we are taking additional measures to ensure that your data remains secure, and users will be notified via email. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.
LastPass is urging users who have a weak master password, or if you've reused your master password on another site, to change it immediately. Also, as with many other services, the company strongly recommends that users enable multifactor authentication for an added layer of security.
Source: LastPass
Reader comments
LastPass warns customers to change master passwords following suspicious activity
Wait: a password app/security company gets hacked? Man, if that ever happened to the app I use, 1Password, I'd raise holy hell!
Anything can and probably will get hacked. It's still best practice to change passwords regularly with or without a pw manager, and the master password to any password manager. At least these pw managers make it pretty easy to keep on top of it. There is still user responsibility.
Difference is that 1Password doesn't store any of your data. You can choose to use Dropbox, or iCloud, or a local file. Even if they hacked into Dropbox or iCloud and grabbed your vault, the Master Password is stored nowhere. AFAIK
This is a second such instance with Last Pass, the first being in 2011. But they are proactive to always inform it's customers if they 'suspect' unusual network activities.
Sent from the iMore App
I'd say this is a good reason to use 1Password, since none of your data is stored on their servers at all.
Still most likely you have your vault stored on some cloud service whether it be Dropbox or iCloud. It's a better way to do it but nothing is un-hackable :)
Sure, I do but 1Password at least gives you the CHOICE of whether you cloud sync or not, and the option of a local wi-fi only sync if you are that concerned about it.
True, but even WiFi is hack-able :)
Well hell, I guess we better just turn the power off to everything, they can't hack us then!
Haha, well I'm not saying we should do that...
Ever since i tried out Last Pass, i had only one no Value Login stored in it, and i decided to keep all my Data in 1Password.
I never liked Last Pass because it is soo Connected to the web all the time.
I was told that my Email was not Compromised but i will always stick to 1Password.
(Great job @ Agilebits)