Password management company LastPass has revealed that it discovered and blocked suspicious activity on its network last week. While the company is claiming that there was no compromise of user accounts as well as encrypted user vault data, it said that hackers were able to access some information including email addresses, password reminders, server per user salts, and authentication hashes.
“We are confident that our encryption measures are sufficient to protect the vast majority of users,” the company said in a blog post. “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
As part of additional security measures, those who do not have multi-factor authentication enabled, and are logging in from a new device or IP address, will now be asked to first verify their account by email. Additionally, users will also be prompted to update their master password, the company said.