LastPass Asks Users To Change Password After Probable Breach

ED: LastPass Asks Users To Change Password After Probable BreachDEK: The Web based password management firm says it detected what it thinks is a breach that could have exposed some customer passwords. LastPass, a Web based password management firm, advised its customers to change the password they use to access the service following what the company discovered signs that its network may have been compromised. In a blog post on May 4, LastPass said it noticed a “network traffic anomaly” lasting a few minutes on Tuesday morning and that a subsequent investigation could not rule out a data breach and, in fact, found evidence that data may have been siphoned off from one of the firm’s databases. An analysis of the outbound data transfer from the server is large enough to have included “people’s email addresses, the server salt and their salted password hashes from the database.” LastPass said it was “assuming the worst:” that “the data we stored in the database was somehow accessed.” However, its unlikely – given the amount of data believed to have been transferred – that much user encrypted data was transferred, the company said. The data stolen could potentially allow attackers to launch brute force attacks on user accounts – using e-mail addresses associated with accounts and dictionary-style attacks to break LastPass Master Passwords, which would give attackers access to any online accounts and passwords managed in a given account. As a result, the company is forcing all its customers to change the master password used to access their account. LastPass is also accelerating the roll out of a new encryption scheme that will use a SHA-256 bit algorithm on the server and a 256-bit salt using 100,000 rounds, the company said. If a breach did occur, its not clear what the origin of the attack was. LastPass admitted that a network VoIP phone server was “more open to UDP than it needed to be,” but said that server didn’t show any signs of tampering, nor did its databases. In February, an indepndent security researcher did reveal a cross site scripting hole on the LastPass Web site (http://threatpost.com/en_us/blogs/password-management-site-lastpass-sports-security-hole-022811) that he said could have been used to expose user e-mails and a list of sites beloning to a particular LastPass accounts. No login data was exposed, but the researcher, Mike Cardwell, said that such data could potentially be vulnerable, also. LastPass, a Web based password management firm, advised its customers to change the password they use to access the service following what the company discovered signs that its network may have been compromised. 

ED: LastPass Asks Users To Change Password After Probable Breach
DEK: The Web based password management firm says it detected what it thinks is a breach that could have exposed some customer passwords. 
LastPass, a Web based password management firm, advised its customers to change the password they use to access the service following what the company discovered signs that its network may have been compromised. 
In a blog post on May 4, LastPass said it noticed a “network traffic anomaly” lasting a few minutes on Tuesday morning and that a subsequent investigation could not rule out a data breach and, in fact, found evidence that data may have been siphoned off from one of the firm’s databases. 
An analysis of the outbound data transfer from the server is large enough to have included “people’s email addresses, the server salt and their salted password hashes from the database.” LastPass said it was “assuming the worst:” that “the data we stored in the database was somehow accessed.” However, its unlikely – given the amount of data believed to have been transferred – that much user encrypted data was transferred, the company said. 
The data stolen could potentially allow attackers to launch brute force attacks on user accounts – using e-mail addresses associated with accounts and dictionary-style attacks to break LastPass Master Passwords, which would give attackers access to any online accounts and passwords managed in a given account. 
As a result, the company is forcing all its customers to change the master password used to access their account. LastPass is also accelerating the roll out of a new encryption scheme that will use a SHA-256 bit algorithm on the server and a 256-bit salt using 100,000 rounds, the company said. 
If a breach did occur, its not clear what the origin of the attack was. LastPass admitted that a network VoIP phone server was “more open to UDP than it needed to be,” but said that server didn’t show any signs of tampering, nor did its databases. 
In February, an indepndent security researcher did reveal a cross site scripting hole on the LastPass Web site (https://threatpost.com/password-management-site-lastpass-sports-security-hole-022811/) that he said could have been used to expose user e-mails and a list of sites beloning to a particular LastPass accounts. No login data was exposed, but the researcher, Mike Cardwell, said that such data could potentially be vulnerable, also. 

LastPassLastPass, a Web based password management firm, advised its customers to change the password they use to access the service following what the company discovered signs that its network may have been compromised. 

In a blog post on May 4, LastPass said it’s administrators noticed a “network traffic anomaly” lasting a few minutes on Tuesday morning. A subsequent investigation could not rule out a data breach and, in fact, found evidence that data may have been siphoned off from one of the firm’s databases. An analysis of the outbound data transfer from the server is large enough to have included “people’s email addresses, the server salt and their salted password hashes from the database.” LastPass said it was “assuming the worst:” that “the data we stored in the database was somehow accessed” and requiring users to change their master password.

The data stolen could potentially allow attackers to launch brute force attacks on user accounts – using e-mail addresses associated with accounts and dictionary-style attacks to break LastPass Master Passwords, which would give attackers access to any online accounts and passwords managed in a given account. In addition to forcing its more than 1 million users to upgrade the master password used to access their account, LastPass is also accelerating the roll out of a new encryption scheme that will use a SHA-256 bit algorithm on the server and a 256-bit salt using 100,000 rounds, the company said. 

If a breach did occur, its not clear what the origin of the attack was. LastPass admitted that a network VoIP phone server was “more open to UDP than it needed to be,” but said that server didn’t show any signs of tampering, nor did its databases. In February, an indepndent security researcher did reveal a cross site scripting hole on the LastPass Web site that he said could have been used to expose user e-mails and a list of sites belonging to a particular LastPass accounts. No login data was exposed, but the researcher, Mike Cardwell, said that such data could potentially be vulnerable, also. 

Suggested articles

Discussion

  • Anonymous on

    NOWHERE ON THEIR HOME PAGE DOES IT TALK ABOUT THIS MESS. I KNEW BETTER!!! HACK PROOF MY AS.

     

     

  • Anonymous on

    What more can be said.  Never, never, never use the cloud to store sensitive information.  Not even two factor authentication can prevent the exposure of sensitive info.  Maybe they can't login as you, but now they have more credentials than they had yesterday to impersonate you elsewhere.

  • Anonymous on

    Never store information about your online accounts on the internet. Use offline password manager with strong encryption with at least 4096-bit key. Like this one - http://www.guardedkey.com/

  • Anonymous on

    This article is full of shit. Lastpass does not state that they were hacked nor that it is probable. In fact, they state that it is unlikely, but given the nature of their service and the fact that there was some unusual traffic load between internal services that they could not account for, yet, they wanted to advise precaution by forcing password changes. They also continue on that even if there was any nefarious activity involved, you shouldn't really be concerned unless you had a very simple password, since the only way to access your information would be through brute force attempts.

    Kaspersky should be ashamed of themselves for this sensationalist bullshit.

  • Amateur security geek on

    Anonymous says: "They also continue on that even if there was any nefarious activity involved, you shouldn't really be concerned unless you had a very simple password, since the only way to access your information would be through brute force attempts." Unfortunately while the last half of the sentence is true, that sentence as a whole is complete bullshit. I used to run the systems department at a small ISP. As we didn't log passwords/changes, at one point where we were looking at outsourcing an important service, we needed to crack our own *nix password DB. After a few days of running "John the ripper" on a few machines, we had brute-forced over 90% of the customer passwords, including most of the passwords for staff (who should have known better.) The fastest machine we had back then was only about 1GHz, so with today's multi-core multi-GHz machines you should be able to crack them about 10 times as fast. If the LastPass password DB was in fact siphoned off, then up to 90% of their users will have had all their passwords exposed within days or even hours.
  • Peter on

    Lastpass also aquired the popular bookmarking site and browser addon Xmarks last year.

     

    Regards,

    Peter

    http://HackerTarget.com

     

  • rei on

    It's hashed and salted. The passwords are safe. Calm down. This isn't the same situation as Sony.

  • TimDaMan on

    YK, I think you misunderstand the purpose of a salting. A hash does not make it any harder to guess a password. It simply prevents one from using as simple pre-calculated rainbow tables. The tables would have to take into account all the various salt values. However if you are just brute force (or even intelligently) guessing in the first place they will not make any difference. Salt is public information and thus can be working into the brute force calculations.
  • Brian on

    YK, the time taken will be linearly larger in the size of the database, not exponentially.  If there are 1,000 passwords in the database and a breadth-first search is used, unique salts on each password will make the attack take 1,000 times as long to crack the same number of passwords.

    The time taken to crack a single password is unaffected by having different salts for each password.

    I agree though that the captcha on this site is terrible.  Captchas are supposed to be human readable, and this one fails that test.

  • Anonymous on

    I only wish that Firefox had a good password manager that stayed on my machine. I never liked sending anything to the clouds but because of the amount of passwords I need, I did it. I am currently trying to change my LastPass master password but their servers are a bit overwhelmed. My master password was alpha numeric and not anything out of a dictionary.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.