LastPass hack risk forces users to change passwords

Summary:The company, which provides password storage for people who have multiple logins, has warned it may have lost customer data in a hacking incident

Password management company LastPass is forcing customers to change their master passwords after detecting a possible breach.

On Tuesday, LastPass noticed that anomalous traffic had left one of its database servers, and also that anomalous traffic had flowed from one of its non-critical machines. While the company occasionally sees such anomalies, it was unable to track down the root cause in these instances.

"We're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed," the company said in a security advisory on Wednesday. "We know roughly the amount of data transferred and that it's big enough to have transferred people's email addresses, the server salt and their salted password hashes from the database."

Virginia-based LastPass provides tools that store and manage passwords for people who have multiple online logins. The consumer product allows users to encrypt a set of passwords and allocate a master password for use with browsers, while the enterprise version allows a single sign-on for websites and applications.

The company said hackers could potentially apply brute force to salted password hashes using a dictionary attack to reveal master passwords. As a consequence, the company has forced users to reset their master passwords and, in a number of cases, to validate their email addresses.

Security company Netcraft said the breach was potentially serious for people who had weak master passwords.

If a hacker can recover a single password, then all [the user's] passwords will be compromised, including webmail and Paypal.

– Paul Mutton, Netcraft

"If a hacker can recover a single password, then all [the user's] passwords will be compromised, including webmail and Paypal," said Paul Mutton, a security analyst at Netcraft. "People would be wise to change their passwords."

Email validation proved difficult for at least one user, who could not log in to validate their email address.

"Quick question; LastPass seems to be unusable until I change my master password, but I can't log in to Gmail without LastPass giving me my Gmail password," said a user called Yansky said in the comments below LastPass's security advisory. "So how do I reset my LastPass master password if I can't log in to my email?"

The company suggested logging into Gmail in offline mode to circumvent the problem.


Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.