Friday, May 6, 2011

Users Forced to Change Passwords due to LastPass hack threat

From Tom Espiner and ZDNET :

Password management company LastPass is forcing customers to change their master passwords after detecting a possible breach.

On Tuesday, LastPass noticed that anomalous traffic had left one of its database servers, and also that anomalous traffic had flowed from one of its non-critical machines. While the company occasionally sees such anomalies, it was unable to track down the root cause in these instances.
"We're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed," the company said in a security advisory on Wednesday. "We know roughly the amount of data transferred and that it's big enough to have transferred people's email addresses, the server salt and their salted password hashes from the database."
Virginia-based LastPass provides tools that store and manage passwords for people who have multiple online logins. The consumer product allows users to encrypt a set of passwords and allocate a master password for use with browsers, while the enterprise version allows a single sign-on for websites and applications.
The company said hackers could potentially apply brute force to salted password hashes using a dictionary attack to reveal master passwords. As a consequence, the company has forced users to reset their master passwords and, in a number of cases, to validate their email addresses.
Security company Netcraft said the breach was potentially serious for people who had weak master passwords.
If a hacker can recover a single password, then all [the user's] passwords will be compromised, including webmail and Paypal.
– Paul Mutton, Netcraft
"If a hacker can recover a single password, then all [the user's] passwords will be compromised, including webmail and Paypal," said Paul Mutton, a security analyst at Netcraft. "People would be wise to change their passwords."
Email validation proved difficult for at least one user, who could not log in to validate their email address.
"Quick question; LastPass seems to be unusable until I change my master password, but I can't log in to Gmail without LastPass giving me my Gmail password," said a user called Yansky said in the comments below LastPass's security advisory. "So how do I reset my LastPass master password if I can't log in to my email?"
The company suggested logging into Gmail in offline mode to circumvent the problem.

No comments:

Post a Comment