Passwords are salted as an additional security measure. Master passwords are hashed before they leave the user’s computer using PBKDF2-SHA256. LastPass users login to their accounts using a master password, which gives access to the passwords stored in the vault hosted by LastPass. Before we dive into those numbers, what does the breach mean for the average LastPass user? First, while the breach is a wake up call for the industry, the average user is likely not to be impacted.
We analyzed exposure to the LastPass breach across over 18 million McAfee (formerly Skyhigh Networks) users. Many even recommended LastPass as a secure way to remember all of these complex, unique passwords.
LASTPASS BREACH PASSWORD
The breach comes at a time when many security writers have been recommending that people use strong, unique passwords for all the websites and cloud services they use to minimize the damage of a password breach of one service. While the password vaults that contain users passwords are not believed to have been compromised, cyber attackers gained access to users’ email addresses, password reminder questions, server per user salts, and hashed master passwords. 1Password is one such alternative, but there are other password managers to choose from.Many LastPass users found out on social media or on news sites earlier this week that LastPass experienced a significant security breach. If nothing can put your mind at ease, you can consider migrating your passwords to competing services. It’s also a good idea to change passwords for those services from time to time.Īlso, you should consider adding two-factor authentication to LastPass and other sensitive accounts. You’ll also want to check your sensitive accounts that you store in LastPass for unauthorized activity. If you received one of these LastPass emails, you should consider changing your Master Password. But LastPass users who might have received warnings about potential third-party account access attempts might still be worried. It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users’ Master Password(s). As a result, a LastPass hack would not lead to attackers gaining access to Master Passwords: These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts.įurthermore, LastPass also says that the app doesn’t store the user’s Master Password. As a result, we have adjusted our security alert systems and this issue has since been resolved. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. In comments to The Verge, LastPass explained that some of the alerts were errors due to an issue that it has resolved: More good news about Master Password security We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure. It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party.
Attackers did not hack LastPass user accounts, the company explained: LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted ‘credential stuffing’ activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.įurthermore, LastPass said that it hasn’t seen any evidence of actual hacking.
0 kommentar(er)
