LastPass possibly hacked, users urged to change master passwordBy Matthew DeCarlo 12 comments
It's time to change your passwords again. According to an official announcement on the company's blog, LastPass believes it may have suffered an attack that compromised user data. On Tuesday, the company discovered an unusual traffic spike on one of its non-critical machines that lasted a few minutes. Such anomalies are often attributed to an employee or an automated script, but LastPass couldn't identify the source this time.
Further investigation revealed similar abnormal traffic patterns in the opposite direction, suggesting that someone accessed data on the machine. LastPass can't determine how this irregularity occurred either, so the company assumes an unauthorized party gained entry. Based on the amount of data transferred, LastPass said the attacker may have gathered users' email addresses, the server salt and their salted password hashes.
Sounding the alarm yesterday, LastPass is urging all members to change their master password. Panicked users overwhelmed the company's servers and the company urged people to use LastPass in offline mode for the time being instead of updating their master password. As an additional precaution, the company said it would ensure that you're coming from an IP block you've used before or by validating your email address.
Again, LastPass isn't even sure an attack has occurred, but the company says it would rather be safe than sorry. It's also worth mentioning that you have nothing to worry about if you use a strong, non-dictionary based password or passphrase as it would be difficult if not impossible to brute force. Folks using passwords like "superman" or "123456" might want to consider updating their account creditionals sooner rather than later.
LastPass said it would take this hiccup as an opportunity to rollout additional security measures it's been planning anyway. The company is implementing PBKDF2 using SHA-256 on its servers with a 256-bit salt utilizing 100,000 rounds. If that flew over your head, LastPass said the extra encryption would basically discourage future attacks. "As we continue to grow we'll continue to find ways to reduce how large a target we are."