Password storage utility LastPass reported earlier this week that they discovered suspicious activity on their servers and as a result, some of their users’ data has probably been compromised: account emails, password reminders and some of the decryption hashes and salts. According to LastPass, user password vaults were not compromised, nor does it appear that any user accounts were accessed. As a precautionary measure, LastPass has turned on a secondary email authentication confirmations for all LastPass logins from new IP addresses, and they are recommending enabling multifactor authentication – a good security practice for any sensitive account (like your email).
What this means for you:
LastPass uses a very strong encryption method to secure your data, and it would take some significant computing resources to crack their encryption from a brute-force perspective. However, if your LastPass master password was easily guessable, in theory they could use the stolen hash and salt to confirm that password, and attempt to gain access to your LastPass account. In short: change your LastPass master password, and if you used that password anywhere else, change it there as well.
