LastPass Password Manager Service Has Security Breach

Password manager service reports security breach. What users need to do next.

ByABC News
June 16, 2015, 10:23 AM
The company that makes the password manager LastPass sent this notification to users of the software that a security breach has compromised some user data, June 15, 2015.
The company that makes the password manager LastPass sent this notification to users of the software that a security breach has compromised some user data, June 15, 2015.
ABC News

— -- LastPass, the digital vault where many users have chosen to store their passwords for various websites, is urging users to take precautions after the password defender suffered a security breach.

Password managers have become a popular choice for security savvy users to store their username and password information behind a single master password, allowing them to ensure they don't choose easy passwords or re-use the same ones across various sites.

LastPass chief executive Joe Siegrist said the company's investigation found email addresses, password reminders, authentication hashes and server per user salts (a mechanism to make a password more difficult to crack) may have been compromised. But damage from the security breach, which occurred last Friday, is minimal to nonexistent because the breach did not penetrate the vault where the passwords are stored.

As a result, Siegrist said the company is taking a proactive approach to ensure customer data remains secure.

"We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled," he wrote.

Additionally, users will be prompted to update their master password -- which is essentially the key to their online kingdom of username and password information. Since the breach didn't reach the LastPass vault, all stored user passwords are safe.

Multifactor authentication is an additional layer of security users can choose to add to their LastPass accounts, requiring them to undertake a second step after entering their master password and before gaining access to their account.