LastPass warns customers to change master passwords following suspicious activity

LastPass is warning customers to change their master passwords as a result of recent suspicious activity on its network. Though LastPass claims that the vault storing user passwords was not accessed, the company is warning users to change their master passwords. Last week the company detected some suspicious activity on the network, and was able to quickly block it. While they claim that no data was taken, and no accounts were accessed, the investigation did reveal some stuff was compromised. LastPass account email addresses, password reminders, server per user salts and authentication hashes fell victim to the attack.

The folks at LastPass are taking the security of everyone's account very seriously. From the company's blog post:

Nonetheless, we are taking additional measures to ensure that your data remains secure, and users will be notified via email. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.

LastPass is urging users who have a weak master password, or if you've reused your master password on another site, to change it immediately. Also, as with many other services, the company strongly recommends that users enable multifactor authentication for an added layer of security.

Source: LastPass (opens in new tab)

Jared DiPane

Jared started off writing about mobile phones back when BlackBerry ruled the market, and Windows Mobile was kinda cool. Now, with a family, mortgage and other responsibilities he has no choice but to look for the best deals, and he's here to share them with you.

  • And this is why you should never store all your passwords in one place and especially not online on someone elses servers that you have no direct control over.  
  • Ding ding ding
  • Some people have difficulty remembering 20 character strings.  If it can remain secure then theres no reason not to take advantage of it.
  • Well obviously it hasnt remained secure....
  • Hasn't it?  All they said was they have detected suspicious activity.  How many people have their own passwords secured on their system, that can say for sure, that nothing suspicious has been detected.
  • The raisson d'être for this company is to provide a secure platform for passwords. If it can't even do that, why trust it at all going forward?!
  • Except they were not hacked, they detected suspicious activity, so they are being proactive. 
  • Multi-factor authentication...
  • Two factor authentication with a secure passphrase that you never use on any other website means your account is not compromised. If they reported that their database had been unencrypted and hacked that would be another story. They are saying that folks who are not using two-factor AND may have used their password elsewhere are at risk. .10c says those folks know that. Now they are auto-enabling email verification for everyone. Nothing to see here folks.  
  • Wtf lol that's why I don't store password in those claim vault
  • It's true that it's a single source for lots of password data, but most of the alternatives are worse -- writing passwords down on paper, using the same handful of passwords for multiple sites, storing on a portable device that could be accessed (about the same as writing them down), etc. Compared with those alternatives, LastPass and its kin are a superior option.
  • Yep, this is my reasoning. Got Msecure after I had written down all my passwords in OneNote. Realized how stupid that could be, so I DLed Msecure. It even had a complex custom password generator.
  • 100
  • Storing passwords like this I asking to be hacked.
  • Anyone remember gator
  • Well that's why I'm afraid to put my users in danger. I don't know if i should release a cloud feature to my app :|
  • Which app?
  • Instead keep them in mind...Let it(mind) also work sometimes!
  • This is why you should be using 1password. It stores the password on your computer.
  • Or KeePass I'm a huge fan of "offline" password management tools
  • Good if you don't use a laptop or anything else that could be stolen. Or backup your password data to a cloud source anyway. Of course, if your PC is ever hacked even if physically safe in your home, then that's gone too. At least personally you're probably not as big a target as a large password store. Or if it's in your home and there's a fire or lightning strike (EMP)... In the real world, LastPass and the other similar services are a decent option among no perfect solutions.  
  • How about oneSafe?
  • Or mSecure?
  • What a bunch of C..rap?! Everything is already compromised but they're trying to avoid bankruptcy cuz there's investors money in it big time.
  • The only safe place to store secrets is in your brain.  Learn how to use it.  It is with you eveywhere you go and does not require a computer or internet connection to function.  In addition, its storage is automatically erased when terminated.
  • LOL. not talking about secrets, we're talking about passwords. good luck remembering all your passwords.
  • I can remember a small handful of complex passwords. But I have dozens, maybe over a hundred sites that need secure passwords. It's not wise to use the same password for multiple sites, because if a hacker gets one he's got them all. Therefore, brain is not a good storage system for passwords. LastPass and similar systems, while flawed, are about as good is it gets.
  • Good luck trying to remember even 5 complex ones.
  • Amnesia? Stressful times in a foreign country? Sometimes stuff can be really hard to remember.
  • Enpass stores data on your cloud platform, like OneDrive or DropBox. Both of those support 2 factor authentication, and the app itself requires a password. It isn't a perfect solution, but its a darned good one IMHO...
  • Just checked the store. Enpass sure has stellar ratings.
  • I still cant figure out why ppl are not using open source long time proven tools like KeePass. And yes, you can sync across your devices via OneDrive or as I do it with OwnCloud (my own private instance) Centralized password repositories are screaming for hackers. Big money.
  • Keeper looks safe, though you have to buy it.
  • For those that are interested in using multi factor authentication with Last Pass it does work with the Microsoft Authenticator app.
  • Agreed. Works well.
  • Been using that myself for quite a long time.
  • Try my Windows Phone app named KeyRing. It does not use a data connection and stores your passwords only locally on your device. Encrypted. No way to get to the data. You can use a NFC tag to secure the app. It is FREE and has NO ADS. Just a hobby project with ~ 100k downloads and 3,300 reviews of >4.5* worldwide. There are versions for WP7 and WP8. Try it Cheers, Thomas