Jump to content

LastPass may have been hacked


Recommended Posts


Users who manage and store their passwords through password management service LastPass are being forced to change their master passwords after the site noticed an issue this week that raised the spectre of a possible security breach.

As described in a blog yesterday, LastPass recently followed a string of breadcrumbs that pointed to an anomaly in its network traffic on Tuesday. Though such anomalies aren't unusual, LastPass found a matching anomaly in one of its databases. Unable to identify a root cause for either anomaly, the company made the decision to assume the worst--that some of its data had been hacked.

Although LastPass hasn't identified a specific breach, it's erring on the site of caution by now forcing its members to change their master passwords. For you non-LastPass users, what exactly does that mean?

Services like LastPass and rival RoboForm let users create and manage passwords to more easily log in to the vast array of secure Web sites they visit. Those passwords can be stored on a PC or mobile device as well as online. As one means of protection, both companies typically urge users to create a single complex master password that can unlock the key to accessing their passwords. Of course, if that master password is compromised, hackers potentially can gain access to all the individual passwords, one reason why these companies advise users to employ complex master passwords.

In this case, LastPass said it believes that users with complex non-dictionary master passwords were probably safe even if any data was compromised. But the company knows that many users out of force of habit often choose simple, easily decipherable passwords. Though it sees the need to require all users to change their passwords as an overreaction, as LastPass says, "we'd rather be paranoid and slightly inconvenience you than to be even more sorry later."

In the meantime, LastPass says that it's taking further precautions against the anomaly by shutting down and moving certain key services and verifying all of its source code. The company is also enhancing the encryption used to protect its data.

Update 9:30 a.m. PT: LastPass is now reporting on its blog that the company is being overwhelmed by support requests and is having trouble keeping up with the number of password changes. The company has since set up a way for users to confirm their e-mail addresses without having to change their passwords. As a result, LastPass is urging people who are using the service from the same computer or IP address to hold off on changing their passwords for a few days.

"We're asking if you're not being asked to change your password then hold off--we're protecting everyone."

The company further suggests accessing your LastPass data offline by disconnecting from the Internet and then logging in or by downloading its LastPass Pocket software, which lets you carry around your data on a USB stick.

Update 11:07 a.m. PT: Security researchers at Duo Security have also offered their take on the LastPass security anomaly with recommendations on what LastPass users should do at this point.

view.gif View: Original Article

Link to comment
Share on other sites

  • Replies 4
  • Views 1.7k
  • Created
  • Last Reply

I'm using RoboForm (sigh). This raises some questions though...

Link to comment
Share on other sites

I'm using the best service around: Mind, Inc :P

(it's fair to mention tho', it sometimes overheats and fails ...)

Link to comment
Share on other sites

  • Administrator

A comment on their blog:

There is no "master password database" for Lastpass. By design, the system is setup so that it is *impossible* for Lastpass, or anyone, to decrypt your information without your master password. Your master password itself is never sent to Lastpass's servers, not even a hashed version, and all of the encryption is done locally before it even gets uploaded to LP.
Link to comment
Share on other sites

  • Administrator

Why potential LastPass data breach isn't last straw

Popular third-party password manager LastPass revealed yesterday that it may well have been hacked and that some e-mail usernames and master passwords may have been stolen. Does this mean it's time to migrate to another password manager, or even abandon the entire concept of online password management for a pen-and-paper solution?


The LastPass password vault in Firefox.

Given the facts of the situation from LastPass' blog post explaining what happened, I'd say no to giving LastPass the boot, and definitely not to abandoning digital password management for a "little black book."

Leaving a paper trail is a horrendous idea for two reasons. The first is that if you lose your book or it gets stolen, it's gone and you've got a statistically tiny chance of recovering it. The other is that the book itself offers zero security. If somebody else sees it, your passwords are compromised even if the book doesn't get stolen. From any angle, it's just a bad idea.

Before I get to why it's OK to stick with LastPass, though, let's review some of the reasons people use third-party password managers in the first place. Though the five major browsers now offer some method of password protection and management, including syncing between mutliple devices, many people have flocked to third-party password protection because it tends to be browser-agnostic. You can access it from any browser, including on your smartphone, and the third-party vendors often provide more features, such as stronger security, password grouping, password generation, password-associated note-taking, and password sharing to trusted individuals.

In fact, one of the best reasons to use LastPass is that it uses 256-bit AES encryption to protect your data, and the company is solely focused on providing password protection. LastPass also uses one-way salted hashes, which is not a potato-based concoction. A "salted hash" in cyptographic terms means that random binary numbers are used in conjunction with a password to ensure that the data transfer is legitimate and not being spoofed. It prevents pregenerated password tables from being used to gain access to the system, because the random binary part of the hash would be too large to easily spoof.

LastPass noted in its blog announcing the possible breach that the company has taken the opportunity to implement salted hash 256-AES protection with PBKDF2. This is a very strong manner of encryption, and brings us to why it's still a good idea to continue to use LastPass. Unlike recent high-profile data theft cases involving companies like Sony, Ashampoo, Verizon, and Epsilon, LastPass has been very forthcoming with information on the steps the company has taken to ensure continued user protection. This includes noting that despite thin evidence that the possible breach had affected many customers, LastPass decided to take the precautionary step of resetting everybody's master, and not just those of users on the affected server.

The key paragraph from the LastPass blog post announcing the possible breach is this:

"In this case, we couldn't find that root cause. After delving into the anomaly, we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's e-mail addresses, the server salt, and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users' encrypted data blobs."

So, assuming that LastPass is being forthright and not lying, the following statement also makes sense:

"If you have a strong, non-dictionary-based password or pass phrase, this shouldn't impact you--the potential threat here is brute-forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.

"To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your e-mail address."

Again, assuming honesty from LastPass--which admittedly may be too much for some people--it appears that LastPass is taking extreme measures to protect all its users from what potentially might have been a data breach. Another reason that LastPass might be requiring all users to reset their passwords is that the company doesn't have access to the salt hashes on its own servers. They couldn't see your passwords if they wanted to.

It's this kind of straightforward frankness about data breaches that other companies would do well to learn from. Data breaches are inevitable. There is no such thing as a foolproof system, whether we're talking about security virus definition updates or securing data on a server. But as more and more of our personal data is stored up in the cloud, what will differentiate the responsible corporations and companies from the reckless ones is clear and quick communication about both security upgrades and data breaches.

view.gif View: Original Article

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...