Cyber Incident Victim: LastPass

On June 15, 2015, LastPass disclosed a security breach involving unauthorized access to its systems. The company detected and blocked suspicious network activity on the preceding Friday, initiating an investigation that revealed attackers had compromised customer email addresses, password reminders, server per user salts, and authentication hashes. No encrypted user vault data—containing individual account logins and passwords—was accessed during the incident. LastPass emphasized that its encryption methods made compromised master passwords extremely difficult to crack, provided users had employed strong master passwords. The company utilized per user salts requiring attackers to attempt decryption individually for each account, combined with iterative hashing processes where master passwords underwent thousands of hashes before transmission and 100,000 additional hashes before storage, significantly slowing brute-force attempts.

In response to the breach, LastPass mandated all users to change their master passwords and implement two-factor authentication, with immediate changes required for those using weak or reused master passwords elsewhere. The company clarified that altering individual passwords stored within encrypted vaults was unnecessary since this data remained uncompromised. As an additional security measure, LastPass implemented email authentication verification for logins from new devices or IP addresses unless users had previously enabled two-factor authentication. The company declined to specify the breach's initial occurrence timeline or attack methodology, citing an ongoing investigation conducted with federal authorities and third-party cybersecurity experts. No user accounts were confirmed as compromised through the incident.