A picture posted to Imgur indicates that LastPass may have been breached last month.
The picture of a Google security message warning “attackers may be trying to steal your information from lastpass.com” was posted to Imgur three weeks ago. The photo raises questions about how long the attackers were in the LastPass network and how many accounts were affected.
Earlier today, password manager LastPass revealed that a breach on its network allowed bad actors to access user email addresses, password reminders, and authentication hashes.
LastPass says that no encrypted user data was pilfered, which means that names and passwords for individual accounts should be safe. However, the company is asking users to update their master passwords as soon as possible. Users who have a master password that is the same as a password on another site should change that password in both locations. The company is also encouraging users to add two-factor authentication to their accounts. Two-factor authentication requires another form of identification in addition to a password, like a PIN code sent to your phone.
Despite the company’s cautionary advice, LastPass said that passwords stored in its system are safe.
“We are confident that our encryption measures are sufficient to protect the vast majority of users,” wrote LastPass CEO Joe Siegrist in a blog post. LastPass secures passwords stored in plain text with a hashing mechanism slow enough to require a significant amount of computing power to access.
Siegrist says his company first saw “suspicious activity” on its network last Friday. The bad actor was subsequently blocked, but not before he or she was able to snag some of the user data.
LastPass was also breached in 2011. Then and now, breaches like these challenge the wisdom of storing all of your passwords in the cloud.