LastPass


Threatpost News Wrap, July 29, 2016

Mike Mimoso and Chris Brook discuss the news of the week, including a wireless keyboard vulnerability – KeySniffer, NIST’s statement on 2FA, a LastPass remote compromise bug, and a new Tor paper.


LastPass, the popular password manager for most of the top Web browsers, has fixed a couple of vulnerabilities that could have allowed an attacker to target users and generate his own one-time passwords for the victim’s account. The company said that its security team hasn’t seen any active attacks exploiting these vulnerabilities and doesn’t think that […]

ED: LastPass Asks Users To Change Password After Probable BreachDEK: The Web based password management firm says it detected what it thinks is a breach that could have exposed some customer passwords. LastPass, a Web based password management firm, advised its customers to change the password they use to access the service following what the company discovered signs that its network may have been compromised. In a blog post on May 4, LastPass said it noticed a “network traffic anomaly” lasting a few minutes on Tuesday morning and that a subsequent investigation could not rule out a data breach and, in fact, found evidence that data may have been siphoned off from one of the firm’s databases. An analysis of the outbound data transfer from the server is large enough to have included “people’s email addresses, the server salt and their salted password hashes from the database.” LastPass said it was “assuming the worst:” that “the data we stored in the database was somehow accessed.” However, its unlikely – given the amount of data believed to have been transferred – that much user encrypted data was transferred, the company said. The data stolen could potentially allow attackers to launch brute force attacks on user accounts – using e-mail addresses associated with accounts and dictionary-style attacks to break LastPass Master Passwords, which would give attackers access to any online accounts and passwords managed in a given account. As a result, the company is forcing all its customers to change the master password used to access their account. LastPass is also accelerating the roll out of a new encryption scheme that will use a SHA-256 bit algorithm on the server and a 256-bit salt using 100,000 rounds, the company said. If a breach did occur, its not clear what the origin of the attack was. LastPass admitted that a network VoIP phone server was “more open to UDP than it needed to be,” but said that server didn’t show any signs of tampering, nor did its databases. In February, an indepndent security researcher did reveal a cross site scripting hole on the LastPass Web site (http://threatpost.com/en_us/blogs/password-management-site-lastpass-sports-security-hole-022811) that he said could have been used to expose user e-mails and a list of sites beloning to a particular LastPass accounts. No login data was exposed, but the researcher, Mike Cardwell, said that such data could potentially be vulnerable, also. LastPass, a Web based password management firm, advised its customers to change the password they use to access the service following what the company discovered signs that its network may have been compromised. 

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.