Password management firm LastPass has advised customers of suspicious activity on its network and the compromising of much of their stored data.
LastPass provides security services to internet users who are concerned about password theft.
The hack was discovered last week and blocked on the same day. The company said that there is no evidence that encrypted vault data was taken and that accounts were not accessed. However, the attack led to significant exposure of customer details.
.@btcomp: I trust Lastpass, change your password and turn on two-factor authentication. ... / I trusted Target and Anthem Blue Cross too ;-)— Kevin Mitnick (@kevinmitnick) June 16, 2015
"We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network," said chief executive and founder Joe Siegrist in a LastPass Security Notice.
"The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
"We are confident that our encryption measures are sufficient to protect the vast majority of users."
The security notice explained that LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side.
"This additional strengthening makes it difficult to attack the stolen hashes with any significant speed," said Siegrist.
Other defensive measures are being adopted and the firm is asking customers logging in from a new device or IP address to verify their account by email. They will then be asked to update their master passwords.
"You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites," added Siegrist.
"Security and privacy are our top concerns here at LastPass. Over the years, we have been and continue to be dedicated to transparency and proactive measures to protect our users. In addition to the above steps, we're working with the authorities and security forensic experts."
The firm apologised for the extra effort that its customers will have to make, and thanked them for their understanding and support.
Infected apps have been downloaded more than 50 million times
Customers of regular price-raising ISP and cable operator claim nationwide outages started on Monday
Pixel 2 smartphones and a Pixel-branded laptop also planned by Google
The moment you've all been waiting for...