LastPass hack risk forces users to change passwords

LastPass hack risk forces users to change passwords

Summary: The company, which provides password storage for people who have multiple logins, has warned it may have lost customer data in a hacking incident

TOPICS: Security

Password management company LastPass is forcing customers to change their master passwords after detecting a possible breach.

Read this

Hacked off: Protect your email from a breach

Because online security breaches seem 10 a penny, consumers must take simple steps to protect themselves, says Rik Ferguson

Read more+

On Tuesday, LastPass noticed that anomalous traffic had left one of its database servers, and also that anomalous traffic had flowed from one of its non-critical machines. While the company occasionally sees such anomalies, it was unable to track down the root cause in these instances.

"We're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed," the company said in a security advisory on Wednesday. "We know roughly the amount of data transferred and that it's big enough to have transferred people's email addresses, the server salt and their salted password hashes from the database."

Virginia-based LastPass provides tools that store and manage passwords for people who have multiple online logins. The consumer product allows users to encrypt a set of passwords and allocate a master password for use with browsers, while the enterprise version allows a single sign-on for websites and applications.

The company said hackers could potentially apply brute force to salted password hashes using a dictionary attack to reveal master passwords. As a consequence, the company has forced users to reset their master passwords and, in a number of cases, to validate their email addresses.

Security company Netcraft said the breach was potentially serious for people who had weak master passwords.

If a hacker can recover a single password, then all [the user's] passwords will be compromised, including webmail and Paypal.

– Paul Mutton, Netcraft

"If a hacker can recover a single password, then all [the user's] passwords will be compromised, including webmail and Paypal," said Paul Mutton, a security analyst at Netcraft. "People would be wise to change their passwords."

Email validation proved difficult for at least one user, who could not log in to validate their email address.

"Quick question; LastPass seems to be unusable until I change my master password, but I can't log in to Gmail without LastPass giving me my Gmail password," said a user called Yansky said in the comments below LastPass's security advisory. "So how do I reset my LastPass master password if I can't log in to my email?"

The company suggested logging into Gmail in offline mode to circumvent the problem.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to start the discussion