Within the security community, password managers have long been controversial. Some say online password managers help everyday users become more secure than they would otherwise, because it makes it easier to set up complex different passwords for different accounts without having to remember them all. Others have been wary of password managers like LastPass because if the password manager gets breached, hackers can potentially unlock all the accounts managed through the service.
Joe Siegrist, the LastPass chief executive, said the company discovered the breach on Friday after detecting suspicious activity on its network. The company said that it found no evidence that LastPass user accounts were compromised, or that hackers were able to get users' master passwords, or passwords encrypted with that user password.
But the data hackers did access - including email addresses and password reminders - is still troubling, security experts note, in that often all hackers need to unlock an email account is an email as a username plus a password reminder.
Tod Beardsley, a security engineering manager at Rapid7, said that the attack gave hackers a list of LastPass user email addresses that they could target in so-called phishing attacks, in which they send victims emails with links that try to trick users into revealing more data, like a fake "Update your LastPass master password" email, that can be used to crack their accounts.
LastPass said it would be resetting users' master passwords, and advised users to turn on multifactor authentication, an added security measure which requires a second one-time password, often sent to users via text message, anytime they log in to their accounts from an unrecognized machine.
The company said it was confident that its encryption measures would be enough to protect the vast majority of its users. LastPass strengthens the keys needed to unlock master passwords by forcing them to go through a large number of complicated iterations. The company appends random digits to the key, then encrypts it more than 100,000 times, which makes it difficult to break stolen hashes with password cracking tools.
The attack was the second breach notification from LastPass. The first incident happened four years ago. The latest attempt to access the company's passwords was discovered on Friday, but a picture posted to Imgur, the image sharing site, of a Google security warning suggests that hackers may have found a way inside the service as long as three weeks ago.
© 2015 New York Times News Service