LastPass Requires Password Reset Following Possible System Hack
System glitches and error messages have caused headaches for LastPass customers, after a potential hack prompted the company to require to its 1.25 million users to change their master passwords.
LastPass, a free password management service that provides users access to an array of passwords for multiple accounts with one single password, began warning users to change their master passwords Wednesday after they noticed a network traffic anomaly from one of its non-critical machines the day before. Upon exploring the issue further, the company said that they detected a smaller matching traffic anomaly from one of its databases being sent from the server.
The possibility of a system hack prompted the company to require that its users authenticate who they are, either by ensuring that they come from an IP block or by validating their e-mail address.
"Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed," LastPass said in its advisory Wednesday. "We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later."
The company said that it was aware that the amount of transferred data was big enough to have included users e-mail addresses, the server salt and their salted password hashes from the database. However, the advisory said that the amount of data was probably not big enough to include user's encrypted data blobs.
"If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you—the potential threat there is a brute forcing your master password using dictionary words, then going to LastPass with the password to get your data," the advisory said. "Unfortunately, not everyone picks a master password that's immune to brute forcing."
However, security blogger Brian Krebs pointed out a glitch that kept many users -- mainly those accessing the service from PCs-- locked out of their own accounts, and unable to access their e-mail accounts, when they attempted to change their master passwords. While LastPass Premium users seemed to be able to access their accounts via their mobile smartphones, such as iPhones and Blackberrys, other users reported receiving an error message stating that "account settings restrict login from this mobile device.’
Still other users have reported that when they finally complete the required migration process, their data appeared "corrupted and unusuable," according to a SANS Institute blog.
LastPass attributed part of the problem on "record traffic, plus a rush of people to make password changes," which overwhelmed the company's systems. Subsequently, the company instructed users to access their data by logging in to the LastPass site in offline mode or by downloading the LastPass Pocket.
LastPass maintained that the percentage of users being sent through the e-mail validation process would increase as the traffic burden slowly was alleviated, but requested that users e-mail them if they continued to experience problems. The company later said it would not allow users to change master passwords "until our databases are completely caught up and we have resolved outstanding issues."
Next: Breach Underscored Need For Strong Passwords
Meanwhile, security experts said that the incident underscores the necessity of using strong passwords when dealing with critical accounts.
"This is why you don't set your master password to "password," said Chris Boyd, security researcher at GFI Software, in a blog post ."Their swift response to the possible attack is rather heartening, so kudos for that. If you weren't using a strong master password previously, take this as the warning shot that you really should do something about it next time you login to your LastPass account."
Among the updates LastPass has implemented following the breach was a feature that gives users the ability to determine the strength of their master password.