Master password service warns of possible breach

News by Dan Raywood

Password management vendor LastPass has issued a security notification warning that its database may have been accessed.

Password management vendor LastPass has issued a security notification warning that its database may have been accessed.

Advising users to change their master password, LastPass said in a notification that it saw ‘a network traffic anomaly for a few minutes from one of our non-critical machines' last Tuesday, which are common and are usually identified as an employee or an automated script.

However in this instance, more traffic was sent from the database compared to what was received on the server, so it admitted that data stored in the database could have been accessed.

It said: “We know roughly the amount of data transferred and that it's big enough to have transferred people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.

“If you have a strong, non-dictionary based password or passphrase, this shouldn't impact you. The potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.”

As a precaution, LastPass is forcing users to change their master passwords and demanding an indication that users confirm their identity by either ensuring that they are coming from an IP block they have used before or by validating their email address.

“The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP. We realise this may be an overreaction and we apologise for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later,” it said.

According to security blogger Brian Krebs, LastPass consists of a core software application that sits on user machines and a browser plug-in. Passwords are stored on the user's system, so that no one at LastPass can access the information. The company keeps encrypted data that is generated by taking the user's master password and email address and hashing the two.

Any sensitive data saved to an account is secured by the encryption key on the user's system and then sent to LastPass. Since the user's encryption key is locally created each time users submit their master password and email to LastPass, all that the company stores is users' encrypted data.

Krebs said: “LastPass seems to have done a good job designing a secure service, but it looks like they dropped the ball a bit in testing and hardening their internal infrastructure. Still, their (apparent) transparency about what happened is a refreshing change from the brand of disclosure practiced in the wake of other, much larger breaches of late.”

Chris Boyd, senior threat researcher at GFI Software, said: “This is why you don't set your master password to ‘password'. Their swift response to the possible attack is rather heartening, so kudos for that. If you weren't using a strong master password previously, take this as the warning shot that you really should do something about it next time you login to your LastPass account.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews