LastPass hacked? Forcing users to change their master passwords

If you are a LastPass user, you will be forced to change your master password in order to continue using the service. We just read some worrying news that they might be hacked. Yes, “might”. It is more worrying because they don’t know for sure if they were compromised or not. From their blog:

LastPass Security Notification
We noticed an issue yesterday and wanted to alert you to it. As a precaution, we’re also forcing you to change your master password.

 
We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

 
In this case, we couldn’t find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed.

But due to the lack of details and confusing explanation, it is leading us to believe that they were indeed hacked and are probably hiding something (or still looking). Which is very sad because we always recommended them as a password manager solution.

If they detected a traffic anomaly, something inside their servers generated it (process or script). If they can’t find what is generating the traffic, it means that they are still compromised (rootkit) or their systems are not properly managed.

But we believe they did the right thing in notifying their users and hopefully they will get that sorted out soon. If you are looking for alternative password manager solutions, we have heard good things from http://keepass.info/ and http://peguta.com (not that we think you should stop using LastPass).

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • http://www.workingsandbox.com/ Shannon Wagner

    Thanks for your post… I was impressed to see how quickly LastPass responded, even if there were a few glitches in their response. That’s better than most companies do.

    To me, there are a few good lessons that LastPass can learn here. First, eventually they will need to really crossover to mainstream (non-techie) users, if they are going to continue growing. With the number of login glitches reported on the original blog post this morning, I think they are not quite there yet. Again, better than most companies, but I think it could have gone smoother – for example, my elderly aunt or uncle who relies on the service might be confused about what to do and how to fix any problems.

    Next, I think as LastPass grows its user base that they will become a bigger and bigger target for cybercrime. In a sense, the most valuable information in the world could be accessed by a successful attack – after all, for all we know the White House uses them to manage their passwords. ;-)

    Joking aside, there are surely a lot of valuable keys tied into the LastPass service, so I am happy to see them strengthen their security during this, which appears to be a minor possible breach, rather than as a reaction to a confirmed and widespread breach.

  • Pingback: The Password Dilemma – Unique and Complex Is The Key | Sucuri Blog()

Share This