In an era of infinite passwords, each with slightly different requirements, LastPass — a company that allows customers to store their password collections online and access them with master passwords — seemed to many like a godsend. Until Monday, that is, after the company announced that hackers had broken into its system, gaining access to password reminders, e-mail addresses and even encrypted master passwords.
The combination of stolen data makes the hacking comparatively serious: simple codes such as “123456” can be hacked easily, regardless of encryption, while reminders like “Where were you born?” can be easily solved using public information from social media or records. Many other passwords can be guessed through so-called “brute forcing,” or using rented computer server firepower to crack encryption, CNN reports.
The company discovered the digital security breach on Friday. “We are confident that our encryption measures are sufficient to protect the vast majority of users,” Joe Siegrist, LastPass CEO and co-founder, wrote in a blog post Monday. “Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.”
Siegrist went on to encourage users who have reused their master passwords on other websites to replace those passwords and to encourage users to set up two-step authentication, which involves sending a passcode via text message to a user’s phone, to prevent future data losses.