Hackers get personal data from servers LastPass

Administrators of the password manager LastPass have revealed that hackers have stolen personal data from its servers. It would not be about password archives, but about email addresses and password reminders, among other things.

The hack is said to have been discovered by LastPass system administrators last Friday. After an investigation, LastPass concludes that no encrypted password stores or LastPass accounts were stolen, but other sensitive data was stolen. These would be email addresses, password reminders, server per user salts and authentication hashes.

The administrators state that the encryption used by LastPass on its server park is sufficiently strong to sufficiently protect the password data of almost all users against, for example, brute force attacks. For example, at the server level, pbkdf2-sha256 encryption is applied, in addition to encryption of the password stores on the user side. LastPass also says that the authentication hashes are generated based on a random salt.

Nevertheless, LastPass warns that especially users who use a weak master password for their password stores should change this password as soon as possible. Users who use this password on other sites are also strongly advised to do so. As a precaution, all new login attempts from unknown IP addresses or a new device require an account verification via email unless two-factor authorization is set. The master password must also be renewed in that case.

LastPass says it regrets the incident but promises to be as transparent as possible about the break-in. The company also states that it will further investigate the hack together with security experts and the authorities.