Password-storage service becomes victim of hackers

Associated Press

SAN FRANCISCO

A popular Web service that promises to help people keep their passwords secure has reported hackers may have obtained some user information – although not actual passwords – from its network.

Security experts say it’s just another indication that any online information is subject to attack.

LastPass, which makes a program that stores multiple passwords in encrypted form, warned Monday that it had detected “suspicious activity” on its own computer system, which led to the discovery that some users’ email addresses, password reminders and encryption elements were compromised. The company said it had blocked the attack and its investigation found no evidence that individual passwords or user accounts were breached.

The Fairfax, Va., company is advising users to change their LastPass master passwords, which are used to retrieve encrypted individual passwords for the users’ other online services or accounts. But it said they don’t need to change individual passwords for all their accounts. It’s also taking steps to verify the accounts of users who log in from a device or router they have not used before.

Several experts praised LastPass for disclosing the apparent breach and said users shouldn’t be overly alarmed. But they agreed users should change their master passwords and refrain from clicking on links in emails that claim to be from LastPass.