LastPass, the password management service, posted an update on June 15 to its blog noting that there had been “suspicious activity” on its website. The company stated, however, that its encryption measures have kept all of its users’ data safe.
“LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side,” wrote LastPass CEO and Founder Joe Siergrist. “This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
As a result of the suspected breach, LastPass says it’s requiring all of its users who are logging in from a new device or IP address to verify their email, unless a multifactor authentication is enabled. LastPass is also asking everyone to update their master password, which could be a downer if you already committed your old one to memory.
And to make sure everyone is up to speed, LastPass is emailing all of its customers about the breach. Now, it appears that the website is handling a large wave of customers attempting to keep their data secure, according to TechSpot.
As of late Monday afternoon, a server overload message has been popping up when you attempt to change your master password. This doesn’t mean you should give up on taking LastPass’ advice, however, especially if it turns out the breach is worse than expected.
“We apologize for the extra steps of verifying your account and updating your master password, but ultimately believe this will provide you better protection,” Siergrist continued.
LastPass, which is headquartered in Virginia, does business in 71 countries around the world. In addition to encrypting passwords, LastPass encrypts and decrypts information locally before syncing it. This allows you to keep your sensitive data on your device.
“Security and privacy are our top concerns here at LastPass,” said Siergrist, reassuring customers following the breach.