LastPass, the online password manager, has revealed it is victim of a cyberattack in which user data was compromised and it has urged all users to change their master password.
LastPass is among a growing number of companies which offer to remove the hassle of having to remember dozens of different passwords for online services such as email, banking and social media accounts by using a single master password.
The breach, which follows a similar attack in 2011, was revealed by the company in a security advisory published on its website and emailed to all customers. Here we look at just what has happened and what risk it poses to users.
According to a security notice published by LastPass, the company discovered and blocked suspicious activity on its network. An investigation has revealed no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed - but the attackers were able to make off with some customer information.
There is no indication if all or only some customer data was stolen, and there is also no suggestion of who the hackers were.
What information was stolen?
LastPass account email addresses, password reminders, hashed user passwords and cryptographic salts.
Hashes? Salts? What?
The most basic method of protecting passwords is known as hashing, which sees your plain text string of characters run through an algorithm that turns it into a string of gibberish that cannot be reversed - in theory.
In reality, due to the increase in computing power, reversing hashed passwords - particularly weak ones such as '123456' - is relatively easy to do quickly for a lot of passwords. To protect against this, a salt is used.
In cryptography, a salt is random string of data that is used as an additional layer of protection to a one-way function that hashes a password. The unique string of characters makes even weak passwords much more difficult to crack, and it makes cracking lots of passwords at once very difficult.
So are all my passwords now at risk?
No, not immediately at least. LastPass says it is "confident its encryption measures are sufficient to protect the vast majority of users".
The company added, that it "strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side".
What this means in plain language is that LastPass encryption is among the very best around and experts believe the real world risk to users is minimal.
Should I change my master password?
In an email sent to all LastPass users, the company says it will urge everyone to update their master password. The company added that as a further level of protection, it would require all new login attempts from new devices or IP addresses to be verified via email.
The company adds that if you have used your master password on any additional websites, you should change the password on those sites also.
What if I have two-factor authentication turned on?
If you already have this extra level of security enabled, then you won't be required to verify new devices/IP addresses via email and all users should strongly consider enabling this security measure on their account.
So there's nothing to worry about, right?
That's not entirely accurate. Even if the attackers can't crack the encryption used by LastPass, they do have some very personal information about you. They know your email address and they have an idea of what you password is from the password reminders they accessed.
With this information it is likely that the hackers could use social engineering techniques - such as phishing emails - to trick users into revealing their passwords.
Steve Bellovin, a professor in computer science at Columbia University, told Krebs on Security: "I suspect that for a significant number of people, the password reminder — in addition to the user's email address — is going to be useful for an attacker. But password reminders are useful for targeted attacks, not massive attacks. That means that if your password reminder or hint is not particularly revealing to someone who doesn't know you, it probably doesn't matter much. Except in the case of targeted phishing attacks."