LastPass, a popular online-password managing service has been hacked, the company wrote on its official blog Monday evening. It also advised users to change their master passwords.
LastPass announced that its service was compromised after the company detected an intrusion on its servers. According to the company, while encrypted user data was not stolen the hackers were able to retrieve LastPass account email addresses and password reminders. User-specific salts and authentication hashes -- cryptographic tools used to encrypt passwords -- were also accessed by the hackers, the company said.
“We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password,” CEO Joe Siegrist wrote in the post.
The company also advised users to change only their LastPass master password, which is used to retrieve all the passwords of users’ other accounts. It also noted that encrypted data of the individual accounts were unharmed.
According to the Associated Press, security experts encourage the use of password managers such as LastPass, which simplify the process of managing passwords for several online accounts without having to remember each one of them.
LastPass' move of announcing the breach was commended by experts, AP reported, who also urged users to only change their master passwords and reminded them not to click on any links within emails that claim to be from LastPass.