LastPass, a popular password manager program, just admitted it's been hacked.

In a blog post published today, LastPass’s Joe Siegrist writes, "The investigation has shown ... that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."



LastPass works by having users choose one strong master password that they must remember. When they log into LastPass, they use this strong authenticator to gain access to a list of all of their other passwords, which are stored in encrypted form on LastPass' servers.

LastPass’ servers do hold a list of all of its users passwords, but because they are encrypted (meaning they are heavily ciphered making it nearly impossible to crack), it's highly unlikely any hackers would be able to decrypt LastPass' password trove.

Further, the encryption and decryption happens on the users' devices, meaning that LastPass has no way to access any of its users' non-ciphered passwords.

It's important to note that this breach does not mean that hackers have full access to the passwords of every LastPass user. What it does mean, however, is that if users use a weak master password or have used the same password for another website, there’s a likelihood that hackers could gain access.

To fix this, all LastPass users should change their master password if it is weak. Also, users should implement multi factor authentication, making it even harder for hackers to gain access.

Users, however, need not have need to change the passwords stored in LastPass.

Business Insider reached out to LastPass asking for more specifics about the hack. The company emailed back "The investigation is ongoing and we are working with the authorities and forensic security experts."

It added, "We are confident that our extensive encryption model and hashing algorithms will sufficiently protect our users. As an added precaution, we are asking users that login from a new IP address/device to verify their account by email."