Joe Siegrist from LastPass, a famous password manager program, admitted that its database comprising of email addresses, server per user salts, password reminders and authentication hashes were hacked.
Joe Siegrist from LastPast wrote in his blog post published yesterday that “investigation has shown … that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”
LastPass is a password management program that allows users to store their passwords in encrypted form on its servers. To access their passwords users need to select a strong master password, which they need to remember. This strong authentication code is entered when they log into LastPass to access the list of all their stored passwords.
Servers of LastPass keep a list of all the passwords however, since these are heavily ciphered (means encrypted) therefore, it is almost impossible to crack them. This is why it is hard to believe that hackers could have decrypted the passwords.
It must be noted that this hack doesn’t mean that attackers have gained full access to LastPass’s database of passwords. The hack attack however, does involve compromising of weak master password. Also, if any user has used the same password for other websites too then most probably it would get hacked as well.
To resolve the issue, LastPass users must immediately change their master password if they have selected a weak one and they need to implement multi-factor authentication. This will make it impossible for hackers to access them.
However, there is no need to change the passwords that users have stored in LastPass account.