Password Service Warns Users to Change Their, Yep, Passwords

SAN FRANCISCO (AP) — A popular web service that promises to help people keep their passwords secure has reported hackers may have obtained some user information — although not actual passwords — from its network.

Security experts say it’s just another indication that any online information is subject to attack.

LastPass, which makes a program that stores multiple passwords in encrypted form, warned Monday that it had detected “suspicious activity” on its own computer system, which led to the discovery that some users’ email addresses, password reminders and encryption elements were compromised. The company said it had blocked the attack and its investigation found no evidence that individual passwords or user accounts were breached.

The Fairfax, Virginia, company is advising users to change their LastPass master passwords, which are used to retrieve encrypted individual passwords for the users’ other online services or accounts. But it said they don’t need to change individual passwords for all their accounts. It’s also taking steps to verify the accounts of users who log in from a device or router they have not used before.

“We are confident that our encryption measures are sufficient to protect the vast majority of users,” CEO Joe Siegrist said in a blog post, while apologizing to users for the inconvenience of changing their passwords.

When users are signed into their LastPass account, its software then automatically enters the appropriate password for each service or website as required. Many security experts recommend using password managers, like LastPass and other similar services, because they make it easier to have a different, hard-to-crack password for each online account, without having to remember each one.

Several experts praised LastPass for disclosing the apparent breach and said users shouldn’t be overly alarmed. But they agreed that users should change their master passwords and refrain from clicking on links in emails that claim to be from LastPass.