Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

LastPass, the cloud-based password vault that keeps your authentication details for all your online "things" has been compromised. While rather embarrassing for LastPass, I can hardly say I am surprised. Given what they store, they are always going to be a target for the criminals.

Its not that bad though

Thankfully the encrypted user vault data does not appear to have been accessed. LastPass has disclosed that the account email addresses, password reminders, server per user salts and authentication hashes have been compromised.

?We are confident that our encryption measures are sufficient to protect the vast majority of users,? said LastPass? in a notice on the website. ?LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.?
According to LastPass, there is no need to change passwords on sites stored in your LastPass vault. However, if you have weak master passwords or have reused master passwords on any other website, these should be updated immediately.

Tod Beardsley, Rapid7's security engineering manager is reported to have said "what this means is that attackers seem to have all they need to start bruteforcing master passwords. So far, the attackers do not seem to have access to the passwords encrypted with that master password. They incidentally have a list of LastPass users by e-mail address."

So the fact that the attackers are now armed with a list of LastPass users by e-mail means that there could be some targeted phishing campaigns, presenting users with fake "Update your LastPass master password" links. Keep an eye on those emails and be very wary of clicking on links.