Feeds

LastPass resets passwords following possible hack

Precautionary change-up

Securing Web Applications Made Simple and Scalable

Password management system LastPass has reset users' master passwords as a precaution following the discovery of a possible hack attack against its systems.

The move follows the detection of two anomalies – one affecting a database server – on LastPass's network on Tuesday that could be the result of a possible hack attack. LastPass detected that more traffic had been sent from the database than had been received by a server, an event that might be explained by hackers extracting sensitive login credentials, stored in an obfuscated (hashed) format.

The worst case scenario is that miscreants might have swiped password hashes, a development that leaves users who selected easier-to-guess passphrases at risk of brute-force dictionary attacks. Once uncovered, these login credentials might be used to obtain access to all the login credentials stored through the service, as LastPass explains in a blog post (extract below).

If you have a strong, non-dictionary-based password or pass phrase, this shouldn't impact you – the potential threat here is brute-forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute-forcing.

To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address...

We realise this may be an overreaction and we apologise for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.

LastPass's decision to reset passwords as a precaution has made it difficult for some legitimate users to log onto the service again. Tips on re-enabling accounts can be found in a blog post by Chris Boyd, a security researcher at GFI Software, here.

The password-management outfit has taken the possible attack and resulting service disruption as the opportunity to introduce a stronger password hashing system. Although LastPass isn't sure how hackers might have entered its network – if indeed that's what happened – an assault based on an initial break-in via its Voice over IP system is the company's best initial guess as to what might have gone wrong.

This week's security flap at LastPass.com follows a security breach just six weeks ago that created a means to extract the email addresses – though not the passwords – of enrolled users. The two incidents are not thought to be related. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.