Don't hit the panic button (but do think of a new password)
LastPass, the the popular password manager that remembers and automatically inputs your various passwords so you don't have to, fell prey to a cyber attack that could have been worse than it is. In a blog post, LastPass said its team discovered and blocked suspicious activity on its network that turned out to be hackers.
No encrypted user value data was taken and no user accounts accessed, though the bad guys did make off with LastPass account email addresses, password reminders, server per user salts, and authentication hashes. Sounds scary, though LastPass is downplaying the severity of the attack.
"We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed," LastPass said.
Even though it's unlikely that the cyber thieves could crack the encryption scheme and unlock user passwords, LastPass is requiring that all users update their master password. In addition, any users logging in from a new device or IP address must verify their account by email, unless multifactor authentication is enabled.
That said, LastPass says it's not necessary to change any passwords on sites stored in your LastPass vault since encrypted user data was not taken.
As to changing your master password, LastPass says you don't need to do so until you've been notified by email, which are in the process of being sent out.
Follow Paul on Google+, Twitter, and Facebook
From maximumpc
from http://bit.ly/1Cbww30
