Fordham Information Technology - Secure IT: Article - LastPass Security Notice

Monday, June 15, 2015

Article - LastPass Security Notice

LastPass has sent out a notice to its users, notifying the community that on Friday, their team discovered and blocked suspicious activity on their network. " In their investigation, they found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

LastPass stated "We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."

They are taking additional measures to ensure that users' data remains secure. They are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless they have multifactor authentication enabled. As an added precaution, they will also be prompting users to update their master password.

An email is also being sent to all users regarding this security incident.


No comments:

US-CERT Technical Cyber Security Alerts

IT Security - The IT Security Industry's Web Resource