LastPass has issued a statement on its blog (see below) saying it had noticed an anomaly in network traffic for a few minutes to one of its non-critical machines – resulting in the unauthorised transmission of data.
Engineers at LastPass tried to identify the traffic source and failed, so they are forcing its million of users to change their master passwords as a precaution.
The irony here is the LastPass strapline: “The Last Password You’ll Ever Need.” Turns out you might need more than one. Oh well.
Despite this potential security breach, LastPass has a strong reputation among the technology-savvy as a rather good piece of password-management software. It allows users to store the multitude of passwords for their various online activities in an encrypted form, accessible only via their master password.
Following LastPass’s security emergency review, users are prompted to enter their associated email address when they try to enter their master password. LastPass then sends a link in an email notification requesting users enter a new master password.
So far so good, except there a number of disgruntled users whose email password is stored within – you guessed it – LastPass: Catch-22.
The other reported problem for some email users, including some Gmail users, is that LastPass’s automated email notification is getting caught up in spam traps. So, if you haven’t yet received your expected email notification from LastPass, check the spam folder
I think this situation underlines the real importance for strong passwords. Please do not use dictionary words or easy-to-crack passwords for sensitive information, like a master password which protects all of your other passwords.
Not sure what a strong password is, or why it’s important you should choose a unique one? Watch this short Sophos Naked Security video.
(Enjoyed this video? Why not subscribe to the SophosLabs YouTube channel?)
And for what it’s worth, I think LastPass are doing the right thing: they saw something odd. They cannot explain it. There is a risk that sensitive info is in the wrong hands, so they immediately go into action, explain with some detail why they are concerned, and tell you what to do you about it.
True, it is not a pain-free process for its users, but ultimately most users I have talked to are really grateful that they are taking the better safe than sorry approach.
The only concern is that I have heard that they do not plan to email all their users. I think this might be a mistake. For the less technically inclined, having their LastPass software request a new password and not seeing an email communication from the company might raise unwarranted suspicions.
Here is the blog message in full, copied from LastPass’s blog:
May 4, 2011
LastPass Security Notification
We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.
We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.
In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.
If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.
To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.
We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.
We're also taking this as an opportunity to roll out something we've been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We'll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we'll continue to find ways to reduce how large a target we are.
For those of you who are curious: we don't have very much data indicating what potentially happened and what attack vector could have been used and are continuing to investigate it. We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on.
We don't have a lot that indicates an issue occurred but it's prudent to assume where there's smoke there could be fire. We're rebuilding the boxes in question and have shut down and moved services from them in the meantime. The source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself.
Again, we apologize for the inconvenience caused and will continue to take every precaution in protecting user data.
The LastPass Team.
9 comments on “LastPass forces users to change master password after network traffic oddity”
Thank you for weighing in on the issue. To me, reputation – coming from a wide range of online sources – is very important to keep LastPass trustworthy. I also think they provide a great service, but I don’t want to base my own trust on just what I hear directly from the company – the service provided is too critical to justify blind trust.
In all, I think this issue is a good test of the company’s ability to respond quickly, and I feel confident that they will use what they learn from any support issues today to make a few significant improvements in communication and in technology, which should even further lessen any negative impact in the future.
Many of us have strong passwords but then store them in the security menu of our browser. Is that stupid? It's convenient!
your browser can be tricked into divulging the passwords it has stored – in some cases even if it's protected by a master password.
frankly, anything that automatically responds to page content by inserting a saved password (whether it's the browser itself or a plug-in) has the potential to be tricked.
We must commend LastPass on their response to this. They have been thorough and open about what went wrong in this scenario. For this reason I will likely sign up to their service. I can’t stress how important corporate transparency is in this day and age, but LastPass have earned my trust and respect simply by telling us what went wrong. Am I wrong?
Don't think you are – they are doing right by customers/users. Let's hope other companies take notice.
Sounds to me like a very timely and prudent response.
Sounds like responsible action by LastPass, but it does raise – once again – the risk of concentrating too much value / service / target material in a single system or service. Similar to the possibility of RSA losing some master key material for their tokens — too much value in too small a place.
I would have liked an e-mail notification.
Are they only e-mailing users with weak passwords ? If so how do they determine this, and does this raise further security issues itself ?
I was a premium customer, but this breach together with the loss of emails a few days prior had made me re think my password storage, and I have gone back to my password manager contained entirely on my pc. I think that all cloud based services that contain critical and financially important information such as bank passwords are going to be a target from hackers. If they can manage to hack Sony, and now Lastpass……………..can you trust your financial information with them? I have made my decision to keep it myself, then I only have myself to blame if it goes wrong, and I won’t be such a big target as Lastpass. Just think of the coup if someone gets access to all those accounts ?