The LastPass Data Breach

LastPass is a password management service that allows users to centralize all of their collective passwords under one master password. On June 15, 2015, LastPass announced that it was hacked and user data was compromised in the process.

What was stolen from the LastPass database?

LastPass officials released a statement following the attack proclaiming that the hackers did not steal master passwords, but instead gained access to authentication hashes and/or checksums. These are used in order to verify that the master password is correct upon trying to access an account. The attack also compromised cryptographic salts, password reminders, and user email addresses. Officials are confident that LastPass encryption measures ensure the protection of most users and their master passwords. However, it is also possible that fairly weak master passwords, or ones short in length, were also subject to the attack.

What danger does the hack pose?

Although, plain text versions of the master passwords were not obtained, there is fear that the attackers have all of the components to attack the master passwords at full force in the future. Since they have encoded versions of passwords, weak passwords are currently facing a higher risk. The hackers will also be able to use rented computer servers and powerful computing to figure out some of the stronger passwords. The hackers have access to password reminders, so with the help of public records, they might be able to decipher simple answers. This means that they could potentially gain access to bank accounts, social media accounts, records, files, and essentially much of the information that is meant to be protected by encryption.  In addition, back doors have been built into encrypted communications, increasing threats to common users. The accumulating threats have evoked strong reactions in cybersecurity experts and proposition has been made in order to protect consumers from impending threats.

What measures has LastPass taken since the attack?

Because the hackers did not reach the password vaults where encrypted data is stored on the company server, there is no need for users to change their passwords on individual online websites. However, master passwords should be changed and strengthened as a precautionary measure. LastPass has improved its rigorous hashing mechanism, increasing its authentication hash with “…a random salt and 10,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed on the client side. This…makes it difficult to attack the stolen hashes with any significant speed”, said Joe Siegrist in a statement released by the company. To prevent further attacks, LastPass is requiring all users attempting to log in from an unrecognized IP address or device to verify their account. This verification is done through email or text, unless multifactor authentication is enabled.

With end-user computers becoming increasingly easier to hack, it is difficult to pin down a safe database for the storage of personal data. The storage of many or all passwords in the cloud has been a long-time security concern. Vulnerability still exists in the storage environment of a database, such as LastPass, and vault contents are not yet completely safe.

At our law firm, we help inform clients regarding the rules and regulations which apply to cybercrime. You may contact us in order to setup an initial consultation.