Updated on December 10, 2021
Popular cloud-based password management service LastPass has reported a breach of its servers, with some information stolen. While it’s not the (encrypted) user data (i.e., passwords), the data thieves did steal password reminders, email addresses, server per user salts, and authentication hashes. The last two are items used to verify account access. The company has posted more about this on their corporate blog.
While all of the above should be encrypted enough to make using the stolen info troublesome, it’s still advisable for everyone using LastPass to change their master password.
Although this is one of the downsides of using an online-based password manager, I still think LastPass’ service is pretty well done and convenient. It also beats trying to create/remember dozens of hard-to-guess secure passwords for multiple sites, or storing them in a plain-text format (a text document file, etc.). Of course, there’s alternate services available, including 1Password and KeePass.