LastPass users: Your worst nightmare just came true. So what now?

LastPass hacked, but CEO Joe Siegrist urges calm

lastpass hack
Credit: Marvasol, Inc.

LastPass, the cloud-based password manager, has been hacked. If you use LastPass, it's probably time for a precautionary master-password change. It might also be a good idea to check out the other options for securing your account.

Password managers: Necessary evil or horribly insecure single point of failure? Discuss.

In IT Blogwatch, bloggers mutter, "Oh, ****."

curated these bloggy bits for your entertainment.

Eric Ravenscraft reports:

Bad news first, folks. LastPass, our favorite password manager (and yours) has been hacked.

Your stored passwords [weren't] stolen, the intruders did take LastPass account email addresses, password reminders, server per user salts, and authentication hashes.  MORE

And Christopher Boyd adds:

On the off-chance you reused your LastPass master password on another should alter all affected logins – password reuse is a major problem and not one to be taken lightly.

LastPass has a lot of additional security options in place and you should be making the most of them.  MORE

LastPass CEO Joe Siegrist 'fesses up:

On Friday, our team discovered and blocked suspicious activity on our network.

We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side.  MORE

So should we panic yet, Graham Cluley?

If you chose a weak master password, or if it isn't very long, then it might be possible for an attacker to crack it through brute force. advising users to immediately change their master password. ... Furthermore, if you are not already doing so you really should enable multi-factor authentication on your LastPass account. [But] don't panic. The sky is not falling.  MORE

But things are running slowly, as JD Jansen explains:

The danger in a password manager stored centrally on a server is not just the central point of attack, but, as we’re seeing now, when everyone tries to change their password no one can change their password.  MORE

You have been reading IT Blogwatch by , who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies