LastPass, the popular online password management service has been hacked and data was stolen, including the password hints, which is why you need to be alert for scams trying to exploit that.
In a blog post with limited data, they went public about the incident. Screen shot to the right. It stated:
"We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."
The immediate thing to understand is that the attackers did not steal LastPass users' master passwords. However, they did get hold of the hashes (long strings of characters or checksums) which are used by LastPass to verify that a master password is correct when the service is accessed.
Should You Change Your Master Password?
One major relief is that LastPass stated that the hackers did not access their password vaults. These are the passwords you use on other sites. So you can leave all those be. However, you might have to change your master password.
It depends on the strength of your master password. If yours is short and easy to guess, the bad guys can use a so called "brute force" attack where a computer tries thousands of times a second to guess it. If you have a long, very strong password, you should be OK. However, if you have used your LastPass master password on other websites, then RUN to your computer and change your master password ASAP. Could be a bit busy at the moment though! In that case try later.
And there is something else to watch out for as well. The attackers made off with the password hints. That means they could send you a phishing email and trick you into revealing your password because they have the correct password hint. Be especially alert when you get any email from LastPass or claiming to be from them. Think Before You Click!
And as always, there is no reason to panic. Stay Calm And Secure Your Account, LastPass's advice is good.
For KnowBe4 customers, we have a template in the Current Events section you can send to your employees to inoculate them against a possible social engineering attack. If you are not a KnowBe4 customer yet, stepping all employees through new school security awareness training is a very good idea. Find out how affordable this is for your organization. Ask for a quote here and you will be pleasantly surprised.
