Hackers have picked up the password for the LastPass main passwords

Bad information for everyone who uses the LastPass service to store their own passwords and other private information and notes.

LastPass yesterday posted on his blog a short information that unknown perpetrators stole from their servers the hashes of the main passwords used as the "master key" to the entire safe with confidential data. Therefore, we calm down that all data from the safe was not taken from the hackers, only the checksums of the main slogans.

According to the information provided [...]:

We want to notify our team. In our investigation, we have found no evidence that the encrypted user has been accessed. The investigation has shown, FREAK, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

We are confident of our privacy. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This is the most-doubting issue in the world. Stolen hashes with any significant speed.

[...] there is no reason for mass panic, however, the whole LastPass team asks their clients for a preventive change of the master password to their account.

The stolen data is said to be properly secured - all password entries saved are generated by the pseudorandom PBKDF2 function used with the SHA256 algorithm, which performs 100,000 rounds. Hashes created in this way are very difficult to decrypt, but this operation is possible.

Of course, all users of LastPass recommend changing the main password to your account and any change to another password manager, for example, KeePass, which does not store any data on the manufacturer's server.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.