LastPass, a popular password management service, posted a press release on June 15 disclosing their recent cyberattack. While they tout industry-leading security practices, this is the second LastPass hack in recent years.
The LastPass hack was discovered on June 12 when their security team noticed suspicious activity on the network. LastPass successfully blocked attackers from accessing stored password information (LastPass refers to these as “vaults”); however, hackers did steal LastPass account email addresses, password reminder questions, and salts and authentication hashes used for user’s master password.
User salts and authentication hashes are two cryptography techniques that works together to keep private data secure by using algorithms to distort the message.
Because these hashes and salts were exposed in the LastPass hack, it is possible they could be decoded. However, hackers must dedicate hours, even days, to cracking each password one-by-one. Since this time commitment is not worth the potential reward, your password is likely secure.
What Should You Do?
Change your password, watch for phishing emails, enable multi-factor authentication and disable “email search” feature on social media sites.
Change Your Password
Despite stored passwords appearing to be secure, LastPass is still prompting users to update their master password upon logging in. And all users who are logging in from a new device or IP address must first verify their account by email, unless multi-factor authentication is enabled.
Watch for Phishing Emails
Targeted phishing attacks are also expected to follow the LastPass hack, due to the exposure of email addresses. This is concerning because phishing emails boast high success rates. In 2014, Google found that Gmail users fell for a sophisticated, manual phishing attempt a staggering 45 percent of the time.
Five Red Flags of a Phishing Email:
1. Use of an all-encompassing phrase like “Dear Valued Customer” rather than your name.
2. Unfamiliar or seemingly misspelled URLs or domain names
3. Typos and grammatical errors
4. Pushy, threatening tone and demanding urgent response
5. Request for personal or financial information
Enabled Multi-Factor Authentication
Because the LastPass hack exposed password reminder questions, users should consider enabled multi-factor authentication. This security feature will create an extra login step that requires you to verify your identity via your smartphone or email, so you’ll be tipped off to someone wrongfully accessing your account.
Disable Email Search Feature on Social Media
It might be surprising, but password reminder questions will be easier for hackers to break than the encrypted passwords stored on LastPass. Why? Because of the prevalence of social networking.
Facebook has a feature that allows you to search for a user via their email address. Since email addresses were exposed in this hack, cybercriminals can easily find an individual’s profile and scour it for personal information that could help them answer the password reminder question. If a hacker finds information that would answer these questions, like a user’s place of birth or mother’s maiden name, they effectively gain access to their complete list of login credentials.
Edit this feature under Facebook’s Privacy Settings and Tools feature by switching it from “Everyone can look me up using my email address provided” to “Only my Friends.”