Password Manager LastPass Gets Hacked

If you use it, you should change your master password.

Jun 15 2015, 7:50pm

The popular password manager LastPass revealed on Monday that hackers compromised some user data, including email addresses and encrypted passwords.

In a notice published on its site, however, the company tried to downplay the severity of the breach, saying that LastPass's "encryption measures are sufficient to protect the vast majority of users."

LastPass is a service that lets you store all your passwords in an encrypted database, protecting them with one "master password." By using LastPass, a user only has to remember one password, letting the app remember the rest. This, of course, hinges entirely on how securely the service protects the user's passwords and master passwords.

A LastPass spokesperson confirmed to Motherboard that thanks to how the company protects users' data, "we don't know the master password" and even though the hackers have gotten their hands on the master passwords, these are encrypted and the hackers shouldn't be able to decrypt them.

This is possible because LastPass extension scrambles the username and master password with a technique called hashing, which creates a random string of characters, or a key, according to LastPass spokesperson Amber Gott. That key is then hashed once again and then sent to the LastPass servers, where it gets scrambled again with a random string that's unique to every user. The resulting value is what LastPass uses to verify that the master password is correct.

In other words, in theory, no one at LastPass knows what your master password actually is—they only know when you've entered it correctly. This protects users because if a hacker broke into LastPass's system, theoretically they won't be able to steal your master password because not even LastPass knows what it is.

But George Tankersley, a security researcher, said that in theory and given enough time and resources, the hackers could crack the master passwords, although "they'll have to attack each password individually."

Users should change their master passwords and enable two-factor authentication.

In any case, LastPass CEO Joe Siegrist suggested users to change their master password (but not their passwords stored into LastPass) and enable two-factor authentication on their accounts, just in case.

"That is just common sense,' Per Thorsheim, the founder of the Password conference, told Motherboard. "If you have enough evidence to believe your passwords could be compromised, change is good."

Siegrist also wrote that LastPass is going to prompt users to change their master passwords via email, and will ask users logging in from new IP addresses to verify their identity via email.

LastPass was victim of another similar attack in 2011, which prompted the company to ask users to change their master passwords. At least two of its main competitors, 1Password and Dashlane, haven't been compromised yet as far as we know.

While this is a concerning breach, every business can expect to get hacked, according to Thorsheim, and LastPass has already shown that they know how to deal with it and minimize the risks for users. Yet, it's never good news when a service that markets itself on its ability to protect users' data loses some of that data.