LastPass Hacked, Hashed Master Passwords Exposed
LastPass as service that keeps track of users security measures with a single mater password, was hacked on Friday, which is obviously not a good news. Attackers compromised servers running password management service and found encrypted passwords and other sensitive user data. It was the second breach notification regarding the service in the past four years.
This breach doesn’t exactly mean that hackers are sniffing in your iTunes, Gmail or Amazon and LastPass explains this:
In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
Recommendation: We recommend to change your passwords immediately and make them hard to guess (use $%# and Uppercase letters). And also enable two-factor authentication.