LastPass Security Breach - Master Passwords At Risk

Unusual network activity today caused the password management system, LastPass to be on high alert and issue a security update. This potential breach has put the company on high alert and going as far to require all users to change their master password as a precaution.

In a blog post released by LastPass the company notes that there was some strange unexplained network activity in several places in the system. The root cause did not originate within the company, so LastPass is assuming the worst.

Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.

LastPass also notes that the threat in this case is brute-fore password attacks, that usually use dictionary-based key generators. For this reason, users who have strong, non-dictionary based passwords should be alright and not worry as much as the other guy who used “password” as his password.

LastPass recognizes that some users don’t have as complex passwords as some others, in this case LastPass is playing it safe and requiring everyone to change their passwords.

Unfortunately, this case caused a massive network spike to the LastPass servers. In response to this issue LastPass made an edit to the post:

Record traffic, plus a rush of people to make password changes is more than we can currently handle.

We’re switching tactics — if you’ve made the password change already we’ll handle you normally.
If you haven’t the vast majority of you will be logged in using ‘offline’ mode so you can still use LastPass like normal and get back to your day, only syncing of new password should suffer (and you’ll see the bar).

This means, LastPass users who have not already changed their passwords will be logged into offline mode. LastPass will work as usual, but the syncing of new passwords won’t be available.

LastPass is a powerful cloud-based service that is doing the right thing and alerting users and quickly addressing the problem. As a personal user of the service I am confident that my information is safe, but only time will tell.