Password manager LastPass announced Monday that suspicious activity was identified on its network on Friday – as a result, LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
LastPass has blocked the suspicious activity and all users are being notified. An investigation found no evidence that encrypted user vault data was taken or that accounts were accessed.
To ensure that data remains secure, all users are being asked to change their master password. Additionally, users who log in from a new device or IP address will be required to first verify their account via email, unless multifactor authentication is enabled.
LastPass, which had similar problems four years ago, has been praised by some on social media for at least reacting quickly to the breach, and for being open and honest about the incident.