Those using LastPass password manager, it’s time to change your master password.
The company has announced in its blogpost that an intrusion was detected to their servers. It claims the encrypted user data was not stolen, but the breach did expose LastPass account email addresses, password reminders, server per user salts, and authentication hashes. For those not in the know how, authentication hashes tell users they have permission to access the account.
“In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised,” the blog states.
The company said they are taking additional measures to ensure the user data remains secure. The blogpost further suggests users who are logging in from a new device or IP address to first verify their account by email, and also asking users to change their master password.
Users don’t need to change their passwords to the sites as the encrypted user data was untouched. “Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multi-factor authentication for added protection for your LastPass account,” the blogpost adds.
