LastPass alerts users about potential master password breach
Users of the online password management service will need to reset their master passwords as precaution, company says
Computerworld - LastPass, an online password management provider, is forcing its users to change their master passwords after detecting what it described as a "traffic anomaly" on one of its database servers.
In a blog post on Wednesday, LastPass said it first noticed a network traffic irregularity on Tuesday morning when looking at the logs for one of its non-critical systems. It decided to dig deeper into the problem after it was unable to find a root cause for the problem.
"After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server)," the blog post noted.
Because LastPass has been unable to account for this anomaly, it has decided to assume that the database has been compromised. The amount of data that was transferred out of its system is big enough to have contained people's email addresses, their salted password hashes and the server salt, LastPass said.
Salting is a technique that is used to make it harder for people to misuse stolen passwords. A randomly generated key is added to the password before it is obscured, or hashed.
"We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blob," LastPass noted.
LastPass is a service that lets users store their usernames, passwords and form-fill data online. The service then automatically fills in the information when the user visits a site that requires the information. The company offers a free service as well as a fee-based service.
Such services are designed to let people create strong and unique passwords for each site they use without having to worry about remembering each one of them. Users tend to use the same passwords for multiple sites because of this worry.
With services such as LastPass, users need to only remember one master password for logging into the service.
In its blog post, LastPass noted that the possible compromise is unlikely to affect anyone with a "strong, non-dictionary"-based master password or pass phrase.
The reason that LastPass is requiring everyone to change their master password is because of the potential for the intruders to use brute-force methods to guess at weaker master passwords, the company noted. "Unfortunately, not everyone picks a master password that's immune to brute forcing."
According to LastPass, the incident has accelerated its decision to implement stronger authentication measures. The company is also rebuilding the servers that were compromised and all source code underlying the Web site have been verified against the original repository to ensure no tampering was done.
Users will need to validate their email addresses or log in from an IP address they have used before to reset their master password, the company added.
"We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later," it said.
Several of the more than 700 comments posted by LastPass users on its blog site suggested that users had some trouble accessing their accounts following the master password reset request.
In most of the cases, the problems appeared to be the result of users not knowing how to proceed with the reset or not knowing about the need for them to do it.
In some cases, users appeared unsure what to do because the passwords to their email system had been stored in LastPass.
"For the third time -- can someone give a solution," one anonymous poster lamented. "Nothing works. What the hell should I do?"
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- Target CIO resigns following breach
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Sears finds no evidence of data breach -- yet
- Gameover malware is tougher to kill with new rootkit component
- Mobile app for RSA Conference exposes personal data
- UK man charged with hacking Federal Reserve
- Bloomberg clamps down with data-access policies after scandal
- Amazon.com security slip allowed unlimited password guesses on mobile apps
- Huge turnout at RSA shows hackers are winning
- 360 million account credentials found in the wild, says security firm
Read more about Data Security in Computerworld's Data Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Top tips for securing big data environments - Why big data doesn't have to mean big security challenges Organizations don't have to feel overwhelmed when it comes to securing big data environments. The same security fundamentals for securing databases, data warehouses...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- Three guiding principles for data security and compliance Data security is a moving target-as data grows, more sophisticated threats emerge; the number of regulations increase; and changing economic times make it...
- Mitigate the OWASP Top 10 Web Application Security Risks This technical brief analyzes each of the ten risks and outlines how you can protect your organization from threats targeting your high-value applications...
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.
- How SIEM Addresses the Challenges of Big Security Data This webcast will help you understand today's big data security challenges and how intelligent and scalable SIEM solutions give IT the tools and... All Data Security White Papers | Webcasts