LastPass users take note: it may be time to pick a new password. On Friday, the service noticed "suspicious activity on our network," and today it issued a security notice to users. The activity doesn't seem to have revealed any data from users' password vaults, but the attackers were able to compromise some users' email addresses, password reminder messages, and hashed versions of the master password for certain users' vaults.
It's unclear how the attack took place, but the data seems consistent with a social engineering attack and other unsophisticated methods. It's unclear how long the attackers were active, but LastPass says it shut down the activity on Friday, and has been aggressively monitoring for suspicious activity in the days since. "We are confident that our encryption measures are sufficient to protect the vast majority of users," the notice read. "Nonetheless, we are taking additional measures to ensure that your data remains secure, and users will be notified via email." We have reached out to LastPass for clarification, and will update with any response.
"Our encryption measures are sufficient to protect the vast majority of users."
Breaches do the most damage when they're ignored or covered up, so the announcement itself is a good sign. The notice will let users keep an eye on their account activity and reset the master password if they're worried about any lingering data getting out. (I just reset mine, for what it's worth.) At the same time, the structure of breach investigation makes it hard to be entirely reassured. LastPass' investigation hasn't turned up any access to sensitive information, but if the attackers did somehow breach a user account, that evidence could be significantly more difficult to uncover.
The best news for users is that LastPass performs significant hashing on both servers and local computers, so simply recovering the authentication hashes won't do them much good. Still, an attacker could potentially use the hashes as a means to guess at a user's password (either working from personal information or a list of common passwords) without exposing themselves to the network at large. That's a time-consuming process but it puts users with more easily guessable passwords at particular risk, which is one reason why LastPass recommends those users update their master passwords as soon as possible. The service is also requiring email verifications for any logins from new locations (assuming the user doesn't already have two-factor protections enabled), so even a recovered password won't necessarily result in a compromised account.