LastPass Password Manager Issues Security Alert

Thursday, May 05, 2011



Online password management provider LastPass has detected a possible network intrusion and is in the process of notifying customers of the threat, though the company stopped short of announcing that they have experienced an unauthorized access or data loss event.

LastPass, whose tagline is "The last password you'll have to remember", has advised customers they will be forced to change their master password after the company failed to find the cause of an anomalies on their network systems.

The anomalies detected could be a sign of a hacking attempt on company systems.

If there was a successful intrusion, the company fears that accounts with weak passwords may be subject to a brute force dictionary attack. Once an attacker can enter an account, they would have access to multiple login credentials for any number of websites.

As an added measure of protection, the company is also requiring customers to go through an additional level of validation by either confirming their email address or by accessing their account via a previously used IP address.

LastPass posted a security alert on their company blog, a portion of which states:

After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered [sic] and that it's big enough to have transfered [sic] people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.

If you have a strong, non-dictionary-based password or pass phrase, this shouldn't impact you – the potential threat here is brute-forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute-forcing.

To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address...

We realise this may be an overreaction and we apologise for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.

For details on how to change your master password and regain access to your LastPass account, see the blog post at GFI Labs.

Possibly Related Articles:
Network Access Control Breaches
Authentication Attack Access Control Headlines hackers Alert breach Consumers password LastPass
Post Rating I Like this!
Daives bursten I have used SplashID from Splash data. It is a wonderful products and integrates well with your browser. I have tried it on android and windows and have seen its behaviour in IOS..hands down the best password management tool, i have come across..
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.