LastPass - the well-known and widely used password management and form filling system - has reset the master password for all its users following the discovery of two network traffic anomalies that could have been the result of a hack.
Thinking that it is better to be a little paranoid and prevent future damages, the company decided to assume that the anomalies are due to unauthorized access to their database and that some data has been stolen.
"We know roughly the amount of data transferred and that it's big enough to have transferred people's email addresses, the server salt and their salted password hashes from the database," the LastPass Team explained on the company blog. "We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs."
The company is investigating the matter, but it's still in the dark about what actually happened and what attack vector has been used - if, indeed, the anomalies are the result of an attack. "We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on," they say.
It's heartening to see that the company takes security very seriously and that it's closely monitoring its assets. It is also good to see that it has been working on improving its security stance, and that it's rolling out a stronger password hashing system - PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds.
Other taken precautions involve the temporary move of services from the affected boxes, their rebuilding and the verification of website and plugins source code. According to them, the repository has not been tampered with.
Aside from forcing users to change their master password, LastPass will check their identity either by requesting that they access the account from a IP block they have used before or by validating their email addresses - just in case their password was brute-forced. Naturally, they also advise users to change their passwords to something more complex.
As prompt as LastPass has been in reacting to this potential breach in order to protect its customers, I can't help but be amused by their unfortunate choice of slogan. As it turns out, that wasn't the last password the users would have to remember.
Thinking that it is better to be a little paranoid and prevent future damages, the company decided to assume that the anomalies are due to unauthorized access to their database and that some data has been stolen.
"We know roughly the amount of data transferred and that it's big enough to have transferred people's email addresses, the server salt and their salted password hashes from the database," the LastPass Team explained on the company blog. "We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs."
The company is investigating the matter, but it's still in the dark about what actually happened and what attack vector has been used - if, indeed, the anomalies are the result of an attack. "We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on," they say.
It's heartening to see that the company takes security very seriously and that it's closely monitoring its assets. It is also good to see that it has been working on improving its security stance, and that it's rolling out a stronger password hashing system - PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds.
Other taken precautions involve the temporary move of services from the affected boxes, their rebuilding and the verification of website and plugins source code. According to them, the repository has not been tampered with.
Aside from forcing users to change their master password, LastPass will check their identity either by requesting that they access the account from a IP block they have used before or by validating their email addresses - just in case their password was brute-forced. Naturally, they also advise users to change their passwords to something more complex.
As prompt as LastPass has been in reacting to this potential breach in order to protect its customers, I can't help but be amused by their unfortunate choice of slogan. As it turns out, that wasn't the last password the users would have to remember.
No comments:
Post a Comment