It’s not a major breach, but after LastPass “discovered and blocked suspicious activity” on their network last Friday, they’re requiring everyone update their master passwords. Announced on their blog and in email sent to users, LastPass says they didn’t find any evidence that actual stored passwords were stolen, but they did notice user email addresses, authentication hashes, password reminders, and server per user salts were “compromised.” LastPass said in a blog post:
“We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
In order to ensure hackers aren’t attempting to access your account, LastPass is now requiring that any and all users logging in from a new device or IP verify their accounts by email. That is, those that don’t already have multi-factor authentication enabled (and you should and you and you can learn more about that here). Lastly, anyone using weak, dictionary-based passwords or using the same password as their master on other sites… yeah, don’t do that. Update.