LastPass hacked? Forcing users to change their master passwords

If you are a LastPass user, you will be forced to change your master password in order to continue using the service. We just read some worrying news that they might be hacked. Yes, “might”. It is more worrying because they don’t know for sure if they were compromised or not. From their blog:

LastPass Security Notification
We noticed an issue yesterday and wanted to alert you to it. As a precaution, we’re also forcing you to change your master password.

We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

In this case, we couldn’t find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed.

But due to the lack of details and confusing explanation, it is leading us to believe that they were indeed hacked and are probably hiding something (or still looking). Which is very sad because we always recommended them as a password manager solution.

If they detected a traffic anomaly, something inside their servers generated it (process or script). If they can’t find what is generating the traffic, it means that they are still compromised (rootkit) or their systems are not properly managed.

But we believe they did the right thing in notifying their users and hopefully they will get that sorted out soon. If you are looking for alternative password manager solutions, we have heard good things from and (not that we think you should stop using LastPass).

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.