LastPass alerts users about potential master password breach
Users of the online password management service will need to reset their master passwords as precaution, company says
Computerworld - LastPass, an online password management provider, is forcing its users to change their master passwords after detecting what it described as a "traffic anomaly" on one of its database servers.
In a blog post on Wednesday, LastPass said it first noticed a network traffic irregularity on Tuesday morning when looking at the logs for one of its non-critical systems. It decided to dig deeper into the problem after it was unable to find a root cause for the problem.
"After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server)," the blog post noted.
Because LastPass has been unable to account for this anomaly, it has decided to assume that the database has been compromised. The amount of data that was transferred out of its system is big enough to have contained people's email addresses, their salted password hashes and the server salt, LastPass said.
Salting is a technique that is used to make it harder for people to misuse stolen passwords. A randomly generated key is added to the password before it is obscured, or hashed.
"We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blob," LastPass noted.
LastPass is a service that lets users store their usernames, passwords and form-fill data online. The service then automatically fills in the information when the user visits a site that requires the information. The company offers a free service as well as a fee-based service.
Such services are designed to let people create strong and unique passwords for each site they use without having to worry about remembering each one of them. Users tend to use the same passwords for multiple sites because of this worry.
With services such as LastPass, users need to only remember one master password for logging into the service.
In its blog post, LastPass noted that the possible compromise is unlikely to affect anyone with a "strong, non-dictionary"-based master password or pass phrase.
The reason that LastPass is requiring everyone to change their master password is because of the potential for the intruders to use brute-force methods to guess at weaker master passwords, the company noted. "Unfortunately, not everyone picks a master password that's immune to brute forcing."
According to LastPass, the incident has accelerated its decision to implement stronger authentication measures. The company is also rebuilding the servers that were compromised and all source code underlying the Web site have been verified against the original repository to ensure no tampering was done.
Users will need to validate their email addresses or log in from an IP address they have used before to reset their master password, the company added.
"We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later," it said.
Several of the more than 700 comments posted by LastPass users on its blog site suggested that users had some trouble accessing their accounts following the master password reset request.
In most of the cases, the problems appeared to be the result of users not knowing how to proceed with the reset or not knowing about the need for them to do it.
In some cases, users appeared unsure what to do because the passwords to their email system had been stored in LastPass.
"For the third time -- can someone give a solution," one anonymous poster lamented. "Nothing works. What the hell should I do?"
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- Goodwill Industries probes possible payment card breach
- Aloha point-of-sale terminal, sold on eBay, yields security surprises
- The biggest data breaches of 2014 (so far)
- Blue Shield discloses 18,000 doctors' Social Security numbers
- PF Chang's says breach was 'highly sophisticated criminal operation'
- Breaches exposed 1 in 7 US debit cards in 2013
- New malware program targets banking data
- How to protect yourself against privileged user abuse
- Montana data breach exposes 1.3 million personal records
- Hacker puts 'full redundancy' code-hosting firm out of business
Read more about Data Security in Computerworld's Data Security Topic Center.
- 3 Big Data Security Analytics Techniques You Can Apply Now to Catch Advanced Persistent Threats This technical white paper demonstrates how to use Big Data security analytics techniques to detect advanced persistent threat (APT) cyber attacks, and it...
- IT Security by the Numbers: Calculating the Total Cost of Protection Humorist Franklin P. Jones may have said it best: "When you get something for nothing, you just haven't been billed for it yet."...
- SBIC: Transforming Information Security This report combines perspectives on technologies with experience in strategy to help security teams navigate complex decisions regarding technology deployments while maximizing investments.
- HP ArcSight ESM Solution Helps Finansbank to Combat Fraud and Increase Customer Satisfaction In this report, learn how one organization was able to use HP ArcSight ESM to reduce false positives by 90% and the time...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- It's not too late...Get Your Mobile Questions Answered Live! How can IT provide seamless and secure mobile communications and collaboration for all? Join this live Webcast as IDG asks an expert panel... All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!