LastPass has sent out a notice to its users, notifying the community that on Friday, their team
discovered and blocked suspicious activity on their network. ” In their investigation, they found no evidence that encrypted user vault data
was taken, nor that LastPass user accounts were accessed. The
investigation has shown, however, that LastPass account email addresses,
password reminders, server per user salts, and authentication hashes
were compromised.
LastPass stated “We are confident that our encryption measures are sufficient to
protect the vast majority of users. LastPass strengthens the
authentication hash with a random salt and 100,000 rounds of server-side
PBKDF2-SHA256, in addition to the rounds performed client-side. This
additional strengthening makes it difficult to attack the stolen hashes
with any significant speed.”
They are taking additional measures to ensure that users’ data remains secure. They are requiring that all users who are logging in
from a new device or IP address first verify their account by email,
unless they have multifactor authentication enabled. As an added
precaution, they will also be prompting users to update their master
password.
An email is also being sent to all users regarding this security incident.
Source: https://blog.lastpass.com/2015/06/lastpass-security-notice.html/