LastPass possibly hacked, users urged to change master password

By on May 5, 2011, 4:50 PM

It's time to change your passwords again. According to an official announcement on the company's blog, LastPass believes it may have suffered an attack that compromised user data. On Tuesday, the company discovered an unusual traffic spike on one of its non-critical machines that lasted a few minutes. Such anomalies are often attributed to an employee or an automated script, but LastPass couldn't identify the source this time.

Further investigation revealed similar abnormal traffic patterns in the opposite direction, suggesting that someone accessed data on the machine. LastPass can't determine how this irregularity occurred either, so the company assumes an unauthorized party gained entry. Based on the amount of data transferred, LastPass said the attacker may have gathered users' email addresses, the server salt and their salted password hashes.

Sounding the alarm yesterday, LastPass is urging all members to change their master password. Panicked users overwhelmed the company's servers and the company urged people to use LastPass in offline mode for the time being instead of updating their master password. As an additional precaution, the company said it would ensure that you're coming from an IP block you've used before or by validating your email address.

Again, LastPass isn't even sure an attack has occurred, but the company says it would rather be safe than sorry. It's also worth mentioning that you have nothing to worry about if you use a strong, non-dictionary based password or passphrase as it would be difficult if not impossible to brute force. Folks using passwords like "superman" or "123456" might want to consider updating their account creditionals sooner rather than later.

LastPass said it would take this hiccup as an opportunity to rollout additional security measures it's been planning anyway. The company is implementing PBKDF2 using SHA-256 on its servers with a 256-bit salt utilizing 100,000 rounds. If that flew over your head, LastPass said the extra encryption would basically discourage future attacks. "As we continue to grow we'll continue to find ways to reduce how large a target we are."




User Comments: 12

Got something to say? Post a comment
NeoFryBoy said:

Anonymous strikes again!

gwailo247, TechSpot Chancellor, said:

This inevitable occurrence was the reason why I never used any of these master password services.

Leeky Leeky said:

Aaaaaaaaaaaaaaaaaaaaaaaaarghhh!

Mine was hacked!

So was my forum too - not funny, they used my Admin account password to get into vBulletin's backend and had a field day... I've been offline having WW3 with my new build as well, so only been in front of a computer in the last 20 mins and found out!!!

Restoring the damage done is going to take forever as well!

Its really been a bad day!

Staff
Matthew Matthew, TechSpot Staff, said:

You just can't catch a break eh Leeky?

Leeky Leeky said:

Nope, this ain't even the half of it. My new AM3 motherboard is faulty (spent all afternoon swapping out stuff to find the fault as kept crashing randomly), and Donna's Corsair CX400 is also dead!

I did say the other day I thought it was motherboard, but it wouldn't power up my new build, so borrowed a friends and it powered up.

So thats both Corsair units, both under a year old, both failed. Marvelous!!

Jurassic4096 said:

gwailo247 said:

This inevitable occurrence was the reason why I never used any of these master password services.

It's also worth mentioning that you have nothing to worry about if you use a strong, non-dictionary based password or passphrase as it would be difficult if not impossible to brute force. Folks using passwords like "superman" or "123456" might want to consider updating their account creditionals sooner rather than later.

gwailo247, TechSpot Chancellor, said:

jurassic4096 said:

gwailo247 said:

This inevitable occurrence was the reason why I never used any of these master password services.

It's also worth mentioning that you have nothing to worry about if you use a strong, non-dictionary based password or passphrase as it would be difficult if not impossible to brute force. Folks using passwords like "superman" or "123456" might want to consider updating their account creditionals sooner rather than later.

Everything is getting hacked left and right. I'd rather use individual passwords for each site that I change every so often. Worst case scenario I lose one password, rather than worrying about what else might happen. Part of security is having peace of mind, and putting all my eggs in one basket does not give me that, even if it is irrational. This is just my opinion, and it could be completely wrong.

red1776 red1776, Omnipotent Ruler of the Universe, said:

Everything is getting hacked left and right. I'd rather use individual passwords for each site that I change every so often. Worst case scenario I lose one password, rather than worrying about what else might happen. Part of security is having peace of mind, and putting all my eggs in one basket does not give me that, even if it is irrational. This is just my opinion, and it could be completely wrong.

I don't think so, I think you're spot on. especially until 'the cloud' security is mastered...and that won't happen.

Jurassic4096 said:

red1776 said:

Everything is getting hacked left and right. I'd rather use individual passwords for each site that I change every so often. Worst case scenario I lose one password, rather than worrying about what else might happen. Part of security is having peace of mind, and putting all my eggs in one basket does not give me that, even if it is irrational. This is just my opinion, and it could be completely wrong.

I don't think so, I think you're spot on. especially until 'the cloud' security is mastered...and that won't happen.

I commend them on their quick action on just the POSSIBILITY of an intrusion! Because of that, I will follow this story and hopefully remain a customer of Last Pass. The measures they have said they are looking into on their blog are reassuring. Education is power and security. That's why we come to sites like Techspot right guys!

gwailo247, TechSpot Chancellor, said:

jurassic4096 said:

I commend them on their quick action on just the POSSIBILITY of an intrusion! Because of that, I will follow this story and hopefully remain a customer of Last Pass. The measures they have said they are looking into on their blog are reassuring. Education is power and security. That's why we come to sites like Techspot right guys!

As far as that, you are 100% correct. I am really impressed that they chose their commitment to their customers over any sort of other considerations, and that they did this even without confirmation of a hack. Most companies would wait until they confirmed any sort of hack, which might have been too late.

It doesn't change my feelings on the practice, but you're right, their actions are very commendable.

Leeky Leeky said:

Yeah, I have a bit of an update too - I might have been a bit premature to blame LastPass, as it would seem so far the only issue has been with my forum. I do stress so far.

However, my forum seems to have suffered the same exploit taking out crap loads of other vB forums online at the moment - Oh well, another long day ahead!

I still haven't been able to access my account to change my LastPass master password though.

Archean Archean, TechSpot Paladin, said:

I have no comments about what happened to Last Pass, but I never felt comfortable with the idea of using something similar. Although, the downside is, I have to comeup with new password for each site, which I remind myself to enter into my notebook so if I forget it, I can find it easily enough, ........... which usually I promptly forget,and then end up having to remember which password I actually gave ..... well the long and the short of it, it is fun

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.