Online password manager LastPass is in lockdown mode after the company discovered unusual activity on its network late last week. That activity turned out to be hackers who got away with user email addresses, password reminders, server per user salts, and authentication hashes, according to LastPass.
The good news is it appears hackers didn't get away with anyone's encrypted password vaults. Still, it certainly sounds like a bad breach, but the consensus among security experts is that it could've been a lot worse.
First of all, LastPass is currently defending against potential account theft by requiring email verification — or multi-factor authentication if enabled--whenever a new login comes from an unknown device or new IP address. An attacker would need access to your email account or authenticator app on top of cracking your LastPass master password to get in.
Speaking of which, cracking that master code is going to take a long time unless your LastPass password is unbelievably weak, such as 1234LastPass or something similar. To crack your master password, hackers first have to get past your authentication hash--which includes 100,000 rounds of PBKDF2-SHA256 hashing--on the LastPass servers. Hashing uses an algorithm to convert one string of text into a longer string so that is difficult to reverse engineer and discover what the original text was.
One security expert told Ars Technica that he's so confident in LastPass' hashing that he doesn't even feel compelled to change his master password.
That said, LastPass is nothing if not prudent, and the company will soon prompt all users to change their master password.
So what's a LastPass user to do? Is it time to give up on this popular password manager and switch to something else? As a paying user of LastPass I'm not taking that drastic step, but here are a few things you should do.
Enable multi-factor authentication
This is the most important step you can take if you haven't already. Even if the worst happens and hackers get your master password, they'll still need the authentication code to access your account if you have two-factor authentication enabled. Multi-factor authentication isn't important just for LastPass--you should be using it on any site that offers it, including social networks, email accounts, and so on.
Beware of the phish
With hackers in possession of the email addresses of LastPass users, at least some of us are likely to see phishing attacks. This is when attackers send a phony email dressed up like an authentic message from LastPass. The difference is this email will ask you to click a link and change your master password--something you should never do.
Never, ever click on a link in an email asking you to change your password. Chances are that link will take you to a fraudulent version of the LastPass site that exists solely to steal your login credentials.
Sign up for CIO Asia eNewsletters.