Lastpass Security Breach

Professey Chin · 15-06-2015 8:00pm #1

People using it should change their master password

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
Nonetheless, we are taking additional measures to ensure that your data remains secure, and users will be notified via email. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.
If you have a weak master password or if you have reused your master password on any other website, please update it immediately. Then replace the passwords on those other websites.
Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.
Security and privacy are our top concerns here at LastPass. Over the years, we have been and continue to be dedicated to transparency and proactive measures to protect our users. In addition to the above steps, we’re working with the authorities and security forensic experts.
We apologize for the extra steps of verifying your account and updating your master password, but ultimately believe this will provide you better protection. Thank you for your understanding and support.
Joe Siegrist
& the LastPass Team

https://blog.lastpass.com/2015/06/lastpass-security-notice.html/

Khannie · 15-06-2015 9:37pm

Bit of a stinger, but good that they were open about it.

Idioteque · 15-06-2015 10:49pm

Not so good considering they knew about it on Friday and yet the vast majority of users are finding out about it from 3rd party websites today..or in my case, on my HTC blinkfeed :mad:

They haven't emailed anyone yet and if you visit their homepage, you would know nothing about it either...really badly handled.

BoB_BoT · 15-06-2015 11:16pm

Idioteque wrote: »

Not so good considering they knew about it on Friday and yet the vast majority of users are finding out about it from 3rd party websites today..or in my case, on my HTC blinkfeed :mad:

They haven't emailed anyone yet and if you visit their homepage, you would know nothing about it either...really badly handled.

Have you read the site at all? It's on the bottom of the page where the news-feed normally is. They've also answered the questions about "why haven't I gotten an email" there.

I don't see the problem, it takes time to investigate these things to see if there was an actual breach. They're very open about it, when they could have tried and covered it up or play it down.

syklops · 16-06-2015 1:38am

Just received my LastPass email now:

Dear LastPass User,

We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised.

We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords.

We apologize for the inconvenience, but ultimately we believe this will better protect LastPass users. Thank you for your understanding, and for using LastPass.

Regards,
The LastPass Team

Blowfish · 16-06-2015 9:31am

They've handled it about as well as they could have and there's no immediate risk at least. Still, it'll probably be the kick up the arse I need to finally go get a Yubikey.

Idioteque · 16-06-2015 11:20am

BoB_BoT wrote: »

Have you read the site at all? It's on the bottom of the page where the news-feed normally is. They've also answered the questions about "why haven't I gotten an email" there.

I don't see the problem, it takes time to investigate these things to see if there was an actual breach. They're very open about it, when they could have tried and covered it up or play it down.

Yes I have read the site, have you? It's actually contained within the newsfeed as 1 line item - hardly calling attention to it. The homepage should have had a very obvious "customer alert" to draw peoples attention to it.
Equally, I get the time to investigate it, but they could have easily emailed the text of the blog post at the same time as they posted it.

Quite a lot of others have complained at the same thing, don't get how you can't see it being a problem. They obviously want to downplay it as it the core of what they do..unlike some other websites that get hacked, the impact effects their key business justification for them existing.

Khannie · 16-06-2015 12:13pm

Idioteque wrote: »

the impact effects their key business justification for them existing.

It depends. I think if you're using a service like this that you should assume it's compromised and work accordingly. It shouldn't prevent you using it in theory. I use keepass and I assume that my keepass archive is fair game. If you want to take a crack it decrypting it, good luck. I made the key strong enough that unless there's a crypto flaw somewhere even a well funded nation state would have trouble.

Honestly I just assume lastpass is NSA'd anyway and that's why I use keepass. If you were the NSA you would be *mad* not to slap them with some kind of court order forcing weakened crypto or a straight up back door.

anvilfour · 16-06-2015 12:49pm

Khannie wrote: »

It depends. I think if you're using a service like this that you should assume it's compromised and work accordingly. It shouldn't prevent you using it in theory. I use keepass and I assume that my keepass archive is fair game. If you want to take a crack it decrypting it, good luck. I made the key strong enough that unless there's a crypto flaw somewhere even a well funded nation state would have trouble.

Honestly I just assume lastpass is NSA'd anyway and that's why I use keepass. If you were the NSA you would be *mad* not to slap them with some kind of court order forcing weakened crypto or a straight up back door.

Hi Khannie,

I agree that using Lastpass risks handing over the hashes of all your passwords to the NSA - provided they can be subpoenaed that makes it too risky!

Do you store your Keepass archive offline may I ask? I used to use it but I have had trouble getting it to run reliably on Linux.

Khannie · 16-06-2015 2:07pm

I keep it offline, yep, with a copy on a server that I can SCP from in the event that I need it (and also for syncing).

It works fine on Linux for me. I use various Lubuntu's mostly. I had to do a full install of mono (mono-complete) to get the plugins to work that allow browser integration though.

Idioteque · 16-06-2015 3:53pm

Good point re expectations of using this type of service. I suppose to me it's a step above using the same password on every site and one more above that if you use 2stage auth.
It has made me rethink my effort levels and begin to look at better alternatives which will invariably take more effort but be worth it in the long run.

_Tombstone_ · 16-06-2015 10:44pm

Emoji Passwords are Coming: Harder to Hack and Easier to Remember

Lastpass Security Breach

Comments