LastPass.com, a free password management service that lets users unlock access to all of their password protected sites with a single master password, is forcing all of its approximately 1.25 million users to change their master passwords after discovering that intruders may have accessed the company’s user database.
In an alert posted to the company’s blog late Wednesday, LastPass said that on Tuesday morning it spotted a “traffic anomaly” — unexplained transfers of data — from one of the company’s databases. From that blog entry:
“Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered [sic] and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.
If you have a strong, non-dictionary based password or pass phrase, this shouldn’t impact you – the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data.Unfortunately not everyone picks a master password that’s immune to brute forcing.
To counter that potential threat, we’re going to force everyone to change their master passwords.”
LastPass consists of a core software application that sits on user machines, and a browser plug-in. Passwords are stored on the user’s system, so that no one at LastPass can access the information. What the company does keep is an encrypted blob of gibberish data that is generated by taking the user’s master password and email address and hashing the two. Any sensitive data saved to an account is secured by the encryption key on the user’s system and then sent to LastPass. Since the user’s encryption key is locally created each time users submit their master password and email to LastPass, all that the company stores is users’ encrypted data.
As an added precaution, LastPass said users who are attempting to change their master password from an Internet address block that the company has never before seen associated with their account will need to validate their email address with the company before picking a new password. But there appears to be a slight glitch with this step: The comments on the LastPass blog suggests that many users are currently locked out of their accounts, and now unable to access their email accounts in order to validate their addresses. LastPass Premium users can access their passwords via mobile devices such as the iPhone and Blackberry, but a number of users — including some who say they’re accessing the service via their PCs — report receiving an error message stating that “account settings restrict login from this mobile device.”
LastPass seems to have done a good job designing a secure service, but it looks like they dropped the ball a bit in testing and hardening their internal infrastructure. Still, their (apparent) transparency about what happened is a refreshing change from the brand of disclosure practiced in the wake of other, much larger breaches of late.