Way back in 2011, LastPass had a bit of a security wobble as they noticed a “Network traffic anomaly” on one of their non critical machines.
They took appropriate action, and posted an awful lot of words about what had happened.
They’ve just published an advisory letting users know that there’s been a breach and the steps they should take to avert any potential threat to their accounts.
...we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
On the off-chance you reused your LastPass master password on another site(s), you should alter all affected logins – password reuse is a major problem and not one to be taken lightly.
This might also be a good time to remind everybody of the following:
* Two factor authentication is available for LastPass users – Google Authenticator will help where that’s concerned, but there are other options available.
* You can allow / deny logins by region. This is a pretty cool feature (and if you turn up in a country but haven’t enabled that location before flying out, you can enable it once there as long as you can get through some security challenges.
* LastPass has a lot of additional security options in place and you should be making the most of them.
It’s to their credit that they’re so forthcoming where a possible breach is concerned; it’ll be interesting to see what additional information they can provide over the coming days.
Christopher Boyd