LastPass is forcing its users to change their master passwords following a possible security breach. The free, multiplatform password manager software allows individuals to store passwords for many different websites, all of which can then be accessed using a single master password.
LastPass users only need to remember their master password to log into any website.
Users were notified of the issue after LastPass identified anomalous outbound network traffic. Although this traffic could not be accounted for, the amount of data transferred was big enough to include people’s email addresses, the server salt and salted password hashes. This would provide enough information for a hacker to carry out an offline brute-force attack against the hashes, possibly allowing plaintext passwords to be recovered from many users.
LastPass remains unsure of what has actually happened, but prudently assumed the worst, noting that, “We realize this may be an overreaction and we apologize for the disruption this will cause, but we’d rather be paranoid and slightly inconvenience you than to be even more sorry later.”