“We are confident that our encryption measures are sufficient to protectthe vast majority of users,” he blogged. “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
The investigation did not turn up any evidence that encrypted user vault data was taken or that LastPass user accounts were accessed.
“Nonetheless, we are taking additional measures to ensure that your data remains secure,” Siegrist blogged. “We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password. An email is also being sent to all users regarding this security incident.”
This is the latest in a series of internet-wide security breaches taking place almost daily. No matter where you store your data – locally on your computers hard-drive, on a storage device connected to your network, or in the cloud – it is not safe and can be breached. Ensure you take the proper precautions to secure your more valuable data so that when it is stolen – and it is a matter of when, not if – you can feel confident it will remain unreadable.