LastPass potentially hacked, master passwords possibly compromised

By on

Image: chispita_666/Flickr

First Sony (twice), and now LastPass? The company has issued a security announcement that it has found an “anomaly” in its servers and are fearing for the worst – that your master passwords have been compromised – and are forcing a password reset for all users.

Also compromised in the attack are said to be the email addresses of some users, salted password hashes and the server salt, but the amount of data taken isn’t remotely to have pulled many users.

Due to the strong encryption measures, users with non-dictionary passwords should not be impacted via a brute-force attack. In addition, they will also validate you via the IP address or by validating your email – just to make sure you are, well, you.

According to LastPass, it noticed the anomalies via an examination of its logs on Tuesday, and explains how it knows that it has compromised:

We know roughly the amount of data transferred and that it’s big enough to have transferred people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.

As a result, it has also announced a brand new encryption layer on its servers:

We’re also taking this as an opportunity to roll out something we’ve been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We’ll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we’ll continue to find ways to reduce how large a target we are.

Despite it being a massive security fault, to LastPass’ credit, it has managed to tell people it has found a problem with its security within 48 hours after finding it and has reset all passwords in order to enhance their security. I’m assuming all of this comes as Sony faces a negative backlash over its handling of its own security problems.

By the way, techgeek.com.au has an interesting article on how to remember and create a secure password, so if you need any help – go there now.

Thanks for coming onboard!
We're excited to have you.