igor - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

LastPass suffers data breach, customer password hashes exposed

LastPass, a cloud-based password manager, disclosed that it had suffered a data breach and that customer email addresses, password hashes and other information were compromised.

Cloud-based password manager LastPass Monday disclosed that attackers had breached its servers and obtained customer data, including password hashes.

The Fairfax, Va.-based vendor said it discovered and blocked "suspicious activity" on its network last Friday, though LastPass didn't specify what the activity was or how it was detected. In a company blog post, LastPass CEO Joe Siegrist stated that the company's investigation of the breach revealed that customer email addresses, password reminders, and cryptographic salts were also compromised along with customers' hashed passwords.

Siegrist stressed that the company's investigation found no evidence that encrypted user vault data was obtained or that encrypted passwords were cracked. Therefore, he wrote, users do not need to change the passwords they stored in the LastPass vault.

"We are confident that our encryption measures are sufficient to protect the vast majority of users," Siegrist wrote. "LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."

Nevertheless, LastPass said it's taking additional steps to stave off further attacks that may attempt to exploit the exposed customer data, starting with prompting users to change their LastPass account master passwords (the company also advised that if customers reused their master passwords on other accounts or websites, then they should replace those as well). In addition, the company recommended all customers enable multifactor authentication (MFA) for their accounts, and is requiring all customers logging in from a new device or IP address to first verify their account by email unless they have MFA enabled.

In the meantime, Siegrist stated that LastPass is working with authorities and security experts to further investigate the breach -- the second major security incident the company has experienced since it was founded in 2008.

In May of 2011, LastPass announced it had detected network anomalies in both incoming and outgoing traffic that suggested an attack on its servers. While the company couldn't find the root cause of the anomalies, it assumed that its database had been breached and that customer data such as email addresses and hashed passwords were exposed.

"Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed," the 2011 security advisory stated.

Following the 2011 incident, LastPass required all customers change their master account passwords, but the requests overwhelmed the company's servers. LastPass later admitted that it made a series of "tactical errors" in its incident response, including inconveniencing customers who had strong, non-dictionary master passwords with mandatory password changes and being unprepared to handle the influx of traffic from the password change attempts.

Next Steps

Find out why password compliance and password management for PCI DSS are crucial for enterprises

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Are cloud-based password managers a good idea or a potential vulnerability for enterprises?
As was mentioned in another forum I frequent, everyone is subject to being hacked and data being compromised. To me, there are two groups of companies, those who admit to being hacked and addressing the problems, and those who don't admit to it until forced to much later. the former, I will still work with, but I will of course work to make sure I'm changing passwords regularly, not repeating them on multiple machines, and making sure my email passwords are the ones most monitored and protected. If your email password is compromised, that's the crown jewel to getting everything else... all you have to do in that case is log in, scan for messages, go to sites, and click on "Forgot Password". If they get that, it can be game over for everything else, and no decryption hacking required.
I find myself having an emotional reaction to the very idea of a cloud based password system. I just ... no. Sorry. I suspect this is not logic, but emotion. Perhaps our children won't care, the way my generation cares less about giving away the social security number, while SSN security is fundamental to my parents generation.

It's a bit like when Steve Ballmer tried to make the operating system an annual pay to use service. People just don't want that.
It will always be a risk, but having credentials encrypted on a third party server is light years ahead of having them in your browser cookies.   As for this LastPass hack, anyone using LastPass should have been able to change their master password, and it should then reender those hashes taken as useless.

I think the question sets up a false choice.  The thinking here is use cloud passed password security, or not.  I think the real question is, for you in your situation, how does it compare?  Is it more or less risky, and that should inform decisions.