LastPass Asks Users To Change Password After Probable Breach

Author: Paul Roberts
minute read

ED: LastPass Asks Users To Change Password After Probable BreachDEK: The Web based password management firm says it detected what it thinks is a breach that could have exposed some customer passwords. LastPass, a Web based password management firm, advised its customers to change the password they use to access the service following what the company discovered signs that its network may have been compromised. In a blog post on May 4, LastPass said it noticed a “network traffic anomaly” lasting a few minutes on Tuesday morning and that a subsequent investigation could not rule out a data breach and, in fact, found evidence that data may have been siphoned off from one of the firm’s databases. An analysis of the outbound data transfer from the server is large enough to have included “people’s email addresses, the server salt and their salted password hashes from the database.” LastPass said it was “assuming the worst:” that “the data we stored in the database was somehow accessed.” However, its unlikely – given the amount of data believed to have been transferred – that much user encrypted data was transferred, the company said. The data stolen could potentially allow attackers to launch brute force attacks on user accounts – using e-mail addresses associated with accounts and dictionary-style attacks to break LastPass Master Passwords, which would give attackers access to any online accounts and passwords managed in a given account. As a result, the company is forcing all its customers to change the master password used to access their account. LastPass is also accelerating the roll out of a new encryption scheme that will use a SHA-256 bit algorithm on the server and a 256-bit salt using 100,000 rounds, the company said. If a breach did occur, its not clear what the origin of the attack was. LastPass admitted that a network VoIP phone server was “more open to UDP than it needed to be,” but said that server didn’t show any signs of tampering, nor did its databases. In February, an indepndent security researcher did reveal a cross site scripting hole on the LastPass Web site (http://threatpost.com/en_us/blogs/password-management-site-lastpass-sports-security-hole-022811) that he said could have been used to expose user e-mails and a list of sites beloning to a particular LastPass accounts. No login data was exposed, but the researcher, Mike Cardwell, said that such data could potentially be vulnerable, also. LastPass, a Web based password management firm, advised its customers to change the password they use to access the service following what the company discovered signs that its network may have been compromised. 

ED: LastPass Asks Users To Change Password After Probable Breach
DEK: The Web based password management firm says it detected what it thinks is a breach that could have exposed some customer passwords. 
LastPass, a Web based password management firm, advised its customers to change the password they use to access the service following what the company discovered signs that its network may have been compromised. 
In a blog post on May 4, LastPass said it noticed a “network traffic anomaly” lasting a few minutes on Tuesday morning and that a subsequent investigation could not rule out a data breach and, in fact, found evidence that data may have been siphoned off from one of the firm’s databases. 
An analysis of the outbound data transfer from the server is large enough to have included “people’s email addresses, the server salt and their salted password hashes from the database.” LastPass said it was “assuming the worst:” that “the data we stored in the database was somehow accessed.” However, its unlikely – given the amount of data believed to have been transferred – that much user encrypted data was transferred, the company said. 
The data stolen could potentially allow attackers to launch brute force attacks on user accounts – using e-mail addresses associated with accounts and dictionary-style attacks to break LastPass Master Passwords, which would give attackers access to any online accounts and passwords managed in a given account. 
As a result, the company is forcing all its customers to change the master password used to access their account. LastPass is also accelerating the roll out of a new encryption scheme that will use a SHA-256 bit algorithm on the server and a 256-bit salt using 100,000 rounds, the company said. 
If a breach did occur, its not clear what the origin of the attack was. LastPass admitted that a network VoIP phone server was “more open to UDP than it needed to be,” but said that server didn’t show any signs of tampering, nor did its databases. 
In February, an indepndent security researcher did reveal a cross site scripting hole on the LastPass Web site (https://threatpost.com/password-management-site-lastpass-sports-security-hole-022811/) that he said could have been used to expose user e-mails and a list of sites beloning to a particular LastPass accounts. No login data was exposed, but the researcher, Mike Cardwell, said that such data could potentially be vulnerable, also. 

LastPassLastPass, a Web based password management firm, advised its customers to change the password they use to access the service following what the company discovered signs that its network may have been compromised. 

In a blog post on May 4, LastPass said it’s administrators noticed a “network traffic anomaly” lasting a few minutes on Tuesday morning. A subsequent investigation could not rule out a data breach and, in fact, found evidence that data may have been siphoned off from one of the firm’s databases. An analysis of the outbound data transfer from the server is large enough to have included “people’s email addresses, the server salt and their salted password hashes from the database.” LastPass said it was “assuming the worst:” that “the data we stored in the database was somehow accessed” and requiring users to change their master password.

The data stolen could potentially allow attackers to launch brute force attacks on user accounts – using e-mail addresses associated with accounts and dictionary-style attacks to break LastPass Master Passwords, which would give attackers access to any online accounts and passwords managed in a given account. In addition to forcing its more than 1 million users to upgrade the master password used to access their account, LastPass is also accelerating the roll out of a new encryption scheme that will use a SHA-256 bit algorithm on the server and a 256-bit salt using 100,000 rounds, the company said. 

If a breach did occur, its not clear what the origin of the attack was. LastPass admitted that a network VoIP phone server was “more open to UDP than it needed to be,” but said that server didn’t show any signs of tampering, nor did its databases. In February, an indepndent security researcher did reveal a cross site scripting hole on the LastPass Web site that he said could have been used to expose user e-mails and a list of sites belonging to a particular LastPass accounts. No login data was exposed, but the researcher, Mike Cardwell, said that such data could potentially be vulnerable, also. 

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.