LastPass admits it’s been hacked again

Password manager LastPass has admitted that its servers have been hacked for the second time in four years. However, the company insists there is no evidence that the hackers have made off with users’ passwords. 

In a blog post on the company’s website, the LastPass CEO says the thieves managed to gain access to account email addresses, password reminders and authentication hashes. Those hashses could potentially be used to work out customers’ master passwords, consequently unlocking all the passwords in users’ vaults. However, because LastPass uses a particularly strong hashing routine, it’s highly unlikely that the thieves will be able to crack many passwords using a brute-force attack, where the hackers attempt every conceivable password combination.

Nevertheless, the company is still taking precautions to protect customers. Anybody signing in from a new device or IP address will have to click a verification link sent by email to confirm they are the genuine account holder, unless they already use two-factor authentication. The company will also be prompting all users to change their master password. 

The master passwords that are most susceptible to a brute force attack are weak, dictionary-based entries (such as expert1, password6 or 3456789) or passwords that have been reused on other sites. LastPass is urging customers with such passwords to act quickly, although the CEO says “we are confident that you are safe on your LastPass account regardless”. 

Security experts agree that LastPass customers need not be too concerned. “As always, don’t panic,”  writes independent security expert, Graham Cluley on his blog. “The sky is not falling. Take sensible steps to better secure your account – LastPass’s advice is good.”

The big danger is that list of stolen email addresses will be used to perpetrate phishing attacks, in which LastPass customers are hoodwinked into handing over their master password. “Amongst the stolen information appears to have been a database of account email addresses – an opportunity for phishers and identity thieves to commit email-based attacks posing as the password management company,” says Cluley. Those phishing emails could be even more effective if the attackers can convince users they are genuine by showing them their password reminder.

LastPass was the victim of a similar attack in 2011, after which it again forced users to change their master passwords and required extra validation when attemtping to access LastPass accounts from new IP addresses. There were no reports of widespread password theft among LastPass customers after that incident.