Password manager LastPass posted a notice on their blog last night that they may have been hacked. From the LastPass Blog:
In this case, we couldn’t find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server).
Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.”
I trusted Leo Laporte and Steve Gibson when they said that LastPass was secure. I watched an entire episode of Security Now in which they explained why LastPass was totally secure. Maybe LastPass is totally secure, but then why are they forcing users to change their passwords? Let this be a lesson to everyone, never ever, ever, ever trust anyone else with your passwords. There is always a way to hack something.
I’m glad that I only stored non-essential websites in my LastPass vault. I did not store any bank websites, or even email accounts in LP. Whew!
If you want information from a third party I found this blog post had some helpful tips.