LastPass, the cloud-based password manager, announced Monday that its network was hacked and that the perpetrators accessed and stole user account email addresses, password reminders, server per user salts, and authentication hashes.

In a blog post announcing the attack, LastPass Chief Executive Joe Siegrist said the LastPass team “discovered and blocked suspicious activity” on the network on Friday. He added that encrypted user vault data – actual master passwords and passwords encrypted with the master password – was not accessed.

“We are confident that our encryption measures are sufficient to protect the vast majority of users,” said Siegrist.

LastPass uses a password-strengthening algorithm that turns a user’s master password into an encryption key. It then appends a string of random digits to the key and encrypts it more than 100,000 times, making it difficult to break stolen hashes with a brute-force attack.

Security industry insider John Casaretto told SiliconANGLE that LastPass was an obvious target due to the nature and volume of confidential data it stores.

“Thankfully, LastPass has done a tremendous amount of work on their security, but clearly not enough in this case because if you think about the things we don’t know – how long the hack went undetected, the scope, etc., there’s a lot of impact yet to be seen,” said Casaretto.

In an effort to further protect users and prevent unauthorized access to LastPass accounts, the company said that it would require all users logging in from a new device or IP address, excluding those using multifactor authentication, to verify their account via email. In addition, users will also be prompted to update their master password.

“Choosing a new master password immediately is the best advice they can give right now and if you can use two-factor authentication, which they offer, that will help,” added Casaretto.

When setting a master password, suggested Casaretto, users should use strong passwords unique to their LastPass account. Users should never use the same password for multiple accounts, he said.

This is the second time LastPass has notified users of a hack. In 2011, LastPass discovered a network traffic anomaly that, upon further investigation, revealed the transfer of users’ email addresses, the server salt and their salted password hashes. At the time, the company instituted a blanket master password reset for all users to mitigate potential breaches.

It is unknown when hackers gained access to the LastPass systems, but a screenshot of a Google security warning (via The New York Times) posted on Imgur suggests the breach may have happened as long as three weeks ago.

Image credit: Dev.Arka, Flickr, CC BY-ND 2.0