On Monday password manager service LastPass admitted it had been the target of a hack that accessed its users’ email addresses, encrypted master passwords, and the reminder words and phrases that the service asks users to create for those master passwords.
The company says the cryptographic protections it has in place on those master passwords—which include “hashing” and “salting” functions designed to make cracking the underlying passwords nearly impossible—are enough to protect almost all of its users. But those with simple passwords or ones reused from other sites could still be vulnerable. “We are confident that our encryption measures are sufficient to protect the vast majority of users,” LastPass CEO Joe Siegrist wrote in a note to customers. “Nonetheless, we are taking additional measures to ensure that your data remains secure, and users will be notified via email.”
LastPass says it detected the attack on Friday, just days before it reset users’ passwords, required email verification, and alerted law enforcement and security forensics experts. But if the attack had persisted for any period of time undetected before that, it’s possible that even stronger master passwords could have been compromised, Bonneau says. Right now, we just don’t know how long the hack lasted. “It really depends on how quickly [Lastpass] discovered this, and we don’t have any information on that,” Bonneau says.