LastPass possibly hacked, users urged to change master password

Matthew DeCarlo

Matthew DeCarlo

Posts: 5,271   +104
Staff

It's time to change your passwords again. According to an official announcement on the company's blog, LastPass believes it may have suffered an attack that compromised user data. On Tuesday, the company discovered an unusual traffic spike on one of its non-critical machines that lasted a few minutes. Such anomalies are often attributed to an employee or an automated script, but LastPass couldn't identify the source this time.

Further investigation revealed similar abnormal traffic patterns in the opposite direction, suggesting that someone accessed data on the machine. LastPass can't determine how this irregularity occurred either, so the company assumes an unauthorized party gained entry. Based on the amount of data transferred, LastPass said the attacker may have gathered users' email addresses, the server salt and their salted password hashes.

Sounding the alarm yesterday, LastPass is urging all members to change their master password. Panicked users overwhelmed the company's servers and the company urged people to use LastPass in offline mode for the time being instead of updating their master password. As an additional precaution, the company said it would ensure that you're coming from an IP block you've used before or by validating your email address.

,lastpass

Again, LastPass isn't even sure an attack has occurred, but the company says it would rather be safe than sorry. It's also worth mentioning that you have nothing to worry about if you use a strong, non-dictionary based password or passphrase as it would be difficult if not impossible to brute force. Folks using passwords like "superman" or "123456" might want to consider updating their account creditionals sooner rather than later.

LastPass said it would take this hiccup as an opportunity to rollout additional security measures it's been planning anyway. The company is implementing PBKDF2 using SHA-256 on its servers with a 256-bit salt utilizing 100,000 rounds. If that flew over your head, LastPass said the extra encryption would basically discourage future attacks. "As we continue to grow we'll continue to find ways to reduce how large a target we are."

Permalink to story.

https://www.techspot.com/news/43665-lastpass-possibly-hacked-users-urged-to-change-master-password.html

 
Aaaaaaaaaaaaaaaaaaaaaaaaarghhh! :(

Mine was hacked! :(

So was my forum too - not funny, they used my Admin account password to get into vBulletin's backend and had a field day... I've been offline having WW3 with my new build as well, so only been in front of a computer in the last 20 mins and found out!!!

Restoring the damage done is going to take forever as well!

Its really been a bad day! :(
 
Nope, this ain't even the half of it. My new AM3 motherboard is faulty (spent all afternoon swapping out stuff to find the fault as kept crashing randomly), and Donna's Corsair CX400 is also dead!

I did say the other day I thought it was motherboard, but it wouldn't power up my new build, so borrowed a friends and it powered up.

So thats both Corsair units, both under a year old, both failed. Marvelous!!
 
gwailo247 said:
This inevitable occurrence was the reason why I never used any of these master password services.
Click to expand...

It's also worth mentioning that you have nothing to worry about if you use a strong, non-dictionary based password or passphrase as it would be difficult if not impossible to brute force. Folks using passwords like "superman" or "123456" might want to consider updating their account creditionals sooner rather than later.
 
jurassic4096 said:
gwailo247 said:
This inevitable occurrence was the reason why I never used any of these master password services.
Click to expand...

It's also worth mentioning that you have nothing to worry about if you use a strong, non-dictionary based password or passphrase as it would be difficult if not impossible to brute force. Folks using passwords like "superman" or "123456" might want to consider updating their account creditionals sooner rather than later.
Click to expand...

Everything is getting hacked left and right. I'd rather use individual passwords for each site that I change every so often. Worst case scenario I lose one password, rather than worrying about what else might happen. Part of security is having peace of mind, and putting all my eggs in one basket does not give me that, even if it is irrational. This is just my opinion, and it could be completely wrong.
 
gwailo247 said:
Everything is getting hacked left and right. I'd rather use individual passwords for each site that I change every so often. Worst case scenario I lose one password, rather than worrying about what else might happen. Part of security is having peace of mind, and putting all my eggs in one basket does not give me that, even if it is irrational. This is just my opinion, and it could be completely wrong.
Click to expand...


I don't think so, I think you're spot on. especially until 'the cloud' security is mastered...and that won't happen.
 
red1776 said:
gwailo247 said:
Everything is getting hacked left and right. I'd rather use individual passwords for each site that I change every so often. Worst case scenario I lose one password, rather than worrying about what else might happen. Part of security is having peace of mind, and putting all my eggs in one basket does not give me that, even if it is irrational. This is just my opinion, and it could be completely wrong.
Click to expand...

I don't think so, I think you're spot on. especially until 'the cloud' security is mastered...and that won't happen.
Click to expand...




I commend them on their quick action on just the POSSIBILITY of an intrusion! Because of that, I will follow this story and hopefully remain a customer of Last Pass. The measures they have said they are looking into on their blog are reassuring. Education is power and security. That's why we come to sites like Techspot right guys!
 
jurassic4096 said:
I commend them on their quick action on just the POSSIBILITY of an intrusion! Because of that, I will follow this story and hopefully remain a customer of Last Pass. The measures they have said they are looking into on their blog are reassuring. Education is power and security. That's why we come to sites like Techspot right guys!
Click to expand...

As far as that, you are 100% correct. I am really impressed that they chose their commitment to their customers over any sort of other considerations, and that they did this even without confirmation of a hack. Most companies would wait until they confirmed any sort of hack, which might have been too late.

It doesn't change my feelings on the practice, but you're right, their actions are very commendable.
 
Yeah, I have a bit of an update too - I might have been a bit premature to blame LastPass, as it would seem so far the only issue has been with my forum. I do stress so far.

However, my forum seems to have suffered the same exploit taking out crap loads of other vB forums online at the moment - Oh well, another long day ahead!

I still haven't been able to access my account to change my LastPass master password though.
 
I have no comments about what happened to Last Pass, but I never felt comfortable with the idea of using something similar. Although, the downside is, I have to comeup with new password for each site, which I remind myself to enter into my notebook so if I forget it, I can find it easily enough, ........... which usually I promptly forget,and then end up having to remember which password I actually gave ..... well the long and the short of it, it is fun :D
 
You must log in or register to reply here.

Similar threads

midian182
Beware: Fake LastPass app sneaks onto Apple's App Store
Replies
3
Views
246
m4a4
m4a4
midian182
LastPass says employee's home computer was hacked to steal a decrypted vault
Replies
10
Views
913
Bullwinkle M
B
midian182
LastPass user information exposed in data breach
Replies
19
Views
1K
trparky
T

Latest posts

Back