LastPass, a password manager, revealed Monday that it had been the target of a hack that compromised account email addresses and several security elements used to encrypt user data.
"We are confident that our encryption measures are sufficient to protect the vast majority of users," the company said in a statement. "Nonetheless, we are taking additional measures to ensure that your data remains secure."
LastPass stores multiple passwords for users' various online logins and uses one master password to access them.
Users most in danger of being personally hacked as a result of the breach, first detected Friday, are those who have committed one or both of these two cardinal sins of online safety: using a weak master password and reusing that password on multiple sites.
The company uses a typical form of authentication called hashing. Security experts warn that this type of encryption can be beaten by hackers who attempt, often with the help of software, to guess -- or "brute force" -- your password by trying out thousands of possible combinations. Weak, so called "dictionary" master passwords -- that is, ones that use predictable strings or words that are in the dictionary, such as robert1, mustang, 123456789 or password1! -- are more likely to get guessed first.
"LastPass uses some hefty encryption on (its authentication hashes), so it will take a while to recover master passwords with dedicated cracking gear," explained Tod Beardsley, security engineering manager at online security firm Rapid7, "but easy passwords will fall easily."
Jeremy Spilman, CTO of TapLink, which provides its own kind of password security services, added, "With potentially massive botnets at their disposal, it's difficult to know for sure how fast (attackers) are cracking passwords, but usually it's just a matter of time. As users, the only prudent choice we are left with is to assume that our passwords will eventually be cracked."
Anyone with a LastPass account is advised to change his master password. Those with weak passwords should do so post haste. (If your password is on the list of worst passwords on the Web, you're in the latter group.)
The LastPass statement assured that "because encrypted data was not taken, you do not need to change your passwords on sites stored in your LastPass vault." However, if you've used your master password on any other sites, that's a problem.
The attackers got hold of email addresses, so if you've used the same password for any other login associated with your email address, once they figure it out, they can just log in to other accounts linked to that address.
"Thus, if you're a LastPass user, and you've used your master password somewhere else (also associated with your email address), then you're going to want to change that password on both LastPass and your other sites," Beardsley said. "This is precisely the reason why one shouldn't reuse passwords; once one site gets compromised, all of your accounts that use that password are now exposed as well. This is precisely what LastPass's service intends to solve, by encouraging unique passwords for sites."
In an unfortunate twist, this also poses the chance to undermine one of LastPass's attempts to help customers protect themselves post-hack.
The company said "LastPass user accounts are locked down," and it is requiring that all users who log in from a new device or IP address first verify their account by email, the way one often has to when first signing up for a new site or service. But if you've used your master password as your email password, you're "in big trouble," Beardsley warned. That's because if the hackers have both, they could conceivably open your email and click the verification link for you.
LastPass is sending email notifications to all users about the incident and says it is working with authorities and security forensic experts.