LastPass resets passwords following possible hack
Precautionary change-up
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Password management system LastPass has reset users' master passwords as a precaution following the discovery of a possible hack attack against its systems.
The move follows the detection of two anomalies – one affecting a database server – on LastPass's network on Tuesday that could be the result of a possible hack attack. LastPass detected that more traffic had been sent from the database than had been received by a server, an event that might be explained by hackers extracting sensitive login credentials, stored in an obfuscated (hashed) format.
The worst case scenario is that miscreants might have swiped password hashes, a development that leaves users who selected easier-to-guess passphrases at risk of brute-force dictionary attacks. Once uncovered, these login credentials might be used to obtain access to all the login credentials stored through the service, as LastPass explains in a blog post (extract below).
If you have a strong, non-dictionary-based password or pass phrase, this shouldn't impact you – the potential threat here is brute-forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute-forcing.To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address...
We realise this may be an overreaction and we apologise for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.
LastPass's decision to reset passwords as a precaution has made it difficult for some legitimate users to log onto the service again. Tips on re-enabling accounts can be found in a blog post by Chris Boyd, a security researcher at GFI Software, here.
The password-management outfit has taken the possible attack and resulting service disruption as the opportunity to introduce a stronger password hashing system. Although LastPass isn't sure how hackers might have entered its network – if indeed that's what happened – an assault based on an initial break-in via its Voice over IP system is the company's best initial guess as to what might have gone wrong.
This week's security flap at LastPass.com follows a security breach just six weeks ago that created a means to extract the email addresses – though not the passwords – of enrolled users. The two incidents are not thought to be related. ®
COMMENTS
No reset here
Which is a relief.
They did the right thing. Properly functioning auditing detected the anomaly, they investigated and even though they can't prove it's a compromise took the decision to err on the side of caution before it became a full blown breach.
Much better than certain large consumer electronics companies I could mention.
They allow simple passwords?
Surely this company from the start new it would be a target for this kind of thing. Shouldn't the password guarding all your other passwords be required to be fairly strong?! My understanding of its point is to make password management easier - but requiring users to remember one strong password is not that big a deal.
required
from what I can gather they are only asking people to reset if they see a login attempt from an ip address you haven't used recently
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
