If you use LastPass to store all your passwords, you may want to change your master password. Users’ vaults containing their passwords for myriad accounts across the web are safe, but email addresses, password reminders and the code that could reveal master passwords may have been taken, according to a post from LastPass.
All users logging in from a new device or IP address will be asked verify their accounts via email unless they have multifactor authentication enabled. Those with multifactor authentication are likely safe from any breach into their password vault. LastPass will also require all users to change their password.
While the company asked users to wait to change passwords until asked, it appears the password reset system is currently overwhelmed.
This might not be the first time LastPass has been breached. In 2011, the site noticed an anomaly in data traffic that may have been the result of leaked passwords. Venture Beat also points out a Google security alert page posted to Imgur three weeks ago that may be related to the hack.
This should serve as a reminder that multifactor authentication should always be used. It’s available for most sites, including Facebook, Twitter and many banks and email accounts.
LastPass was also vulnerable because it provided storage for all passwords in the cloud. Some other password vault programs don’t store any password information on their servers, allowing users to sync data through other services and requiring hackers to access both the cloud-storage account and the master password for the vault. We’ve recommended 1Password before, but KeePass also provides a more secure (if less convenient) option.