igor - Fotolia

LastPass suffers data breach, customer password hashes exposed

LastPass, a cloud-based password manager, disclosed that it had suffered a data breach and that customer email addresses, password hashes and other information were compromised.

Cloud-based password manager LastPass Monday disclosed that attackers had breached its servers and obtained customer data, including password hashes.

The Fairfax, Va.-based vendor said it discovered and blocked "suspicious activity" on its network last Friday, though LastPass didn't specify what the activity was or how it was detected. In a company blog post, LastPass CEO Joe Siegrist stated that the company's investigation of the breach revealed that customer email addresses, password reminders, and cryptographic salts were also compromised along with customers' hashed passwords.

Siegrist stressed that the company's investigation found no evidence that encrypted user vault data was obtained or that encrypted passwords were cracked. Therefore, he wrote, users do not need to change the passwords they stored in the LastPass vault.

"We are confident that our encryption measures are sufficient to protect the vast majority of users," Siegrist wrote. "LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."

Nevertheless, LastPass said it's taking additional steps to stave off further attacks that may attempt to exploit the exposed customer data, starting with prompting users to change their LastPass account master passwords (the company also advised that if customers reused their master passwords on other accounts or websites, then they should replace those as well). In addition, the company recommended all customers enable multifactor authentication (MFA) for their accounts, and is requiring all customers logging in from a new device or IP address to first verify their account by email unless they have MFA enabled.

In the meantime, Siegrist stated that LastPass is working with authorities and security experts to further investigate the breach -- the second major security incident the company has experienced since it was founded in 2008.

In May of 2011, LastPass announced it had detected network anomalies in both incoming and outgoing traffic that suggested an attack on its servers. While the company couldn't find the root cause of the anomalies, it assumed that its database had been breached and that customer data such as email addresses and hashed passwords were exposed.

"Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed," the 2011 security advisory stated.

Following the 2011 incident, LastPass required all customers change their master account passwords, but the requests overwhelmed the company's servers. LastPass later admitted that it made a series of "tactical errors" in its incident response, including inconveniencing customers who had strong, non-dictionary master passwords with mandatory password changes and being unprepared to handle the influx of traffic from the password change attempts.

Next Steps

Find out why Password compliance and password management for PCI DSS are crucial for enterprises

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices