password managers


LastPass Asks Users To Change Password After Probable Breach

ED: LastPass Asks Users To Change Password After Probable BreachDEK: The Web based password management firm says it detected what it thinks is a breach that could have exposed some customer passwords. LastPass, a Web based password management firm, advised its customers to change the password they use to access the service following what the company discovered signs that its network may have been compromised. In a blog post on May 4, LastPass said it noticed a “network traffic anomaly” lasting a few minutes on Tuesday morning and that a subsequent investigation could not rule out a data breach and, in fact, found evidence that data may have been siphoned off from one of the firm’s databases. An analysis of the outbound data transfer from the server is large enough to have included “people’s email addresses, the server salt and their salted password hashes from the database.” LastPass said it was “assuming the worst:” that “the data we stored in the database was somehow accessed.” However, its unlikely – given the amount of data believed to have been transferred – that much user encrypted data was transferred, the company said. The data stolen could potentially allow attackers to launch brute force attacks on user accounts – using e-mail addresses associated with accounts and dictionary-style attacks to break LastPass Master Passwords, which would give attackers access to any online accounts and passwords managed in a given account. As a result, the company is forcing all its customers to change the master password used to access their account. LastPass is also accelerating the roll out of a new encryption scheme that will use a SHA-256 bit algorithm on the server and a 256-bit salt using 100,000 rounds, the company said. If a breach did occur, its not clear what the origin of the attack was. LastPass admitted that a network VoIP phone server was “more open to UDP than it needed to be,” but said that server didn’t show any signs of tampering, nor did its databases. In February, an indepndent security researcher did reveal a cross site scripting hole on the LastPass Web site (http://threatpost.com/en_us/blogs/password-management-site-lastpass-sports-security-hole-022811) that he said could have been used to expose user e-mails and a list of sites beloning to a particular LastPass accounts. No login data was exposed, but the researcher, Mike Cardwell, said that such data could potentially be vulnerable, also. LastPass, a Web based password management firm, advised its customers to change the password they use to access the service following what the company discovered signs that its network may have been compromised. 


CLARIFICATION: This story corrects information concerning the availability of the stolen account names and passwords online.
Millions of Web users are waking up to news that broke over the weekend that systems belonging to Gawker Media were hacked and password data on millions of user accounts published on the Internet. How can you figure out if your e-mail and password were among more than a million that were stolen? Read on for instructions on figuring out if you’re one of the victims of the Gawker attack, and what to do about it.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.