LastPass, a Web based password management firm, advised its customers to change the password they use to access the service following what the company discovered signs that its network may have been compromised.
In a blog post on May 4, LastPass said it’s administrators noticed a “network traffic anomaly” lasting a few minutes on Tuesday morning. A subsequent investigation could not rule out a data breach and, in fact, found evidence that data may have been siphoned off from one of the firm’s databases. An analysis of the outbound data transfer from the server is large enough to have included “people’s email addresses, the server salt and their salted password hashes from the database.” LastPass said it was “assuming the worst:” that “the data we stored in the database was somehow accessed” and requiring users to change their master password.
The data stolen could potentially allow attackers to launch brute force attacks on user accounts – using e-mail addresses associated with accounts and dictionary-style attacks to break LastPass Master Passwords, which would give attackers access to any online accounts and passwords managed in a given account. In addition to forcing its more than 1 million users to upgrade the master password used to access their account, LastPass is also accelerating the roll out of a new encryption scheme that will use a SHA-256 bit algorithm on the server and a 256-bit salt using 100,000 rounds, the company said.
If a breach did occur, its not clear what the origin of the attack was. LastPass admitted that a network VoIP phone server was “more open to UDP than it needed to be,” but said that server didn’t show any signs of tampering, nor did its databases. In February, an indepndent security researcher did reveal a cross site scripting hole on the LastPass Web site that he said could have been used to expose user e-mails and a list of sites belonging to a particular LastPass accounts. No login data was exposed, but the researcher, Mike Cardwell, said that such data could potentially be vulnerable, also.