LastPass resets passwords for all users following potential breach

LastPass – the well-known and widely used password management and form filling system – has reset the master password for all its users following the discovery of two network traffic anomalies that could have been the result of a hack.

Thinking that it is better to be a little paranoid and prevent future damages, the company decided to assume that the anomalies are due to unauthorized access to their database and that some data has been stolen.

“We know roughly the amount of data transferred and that it’s big enough to have transferred people’s email addresses, the server salt and their salted password hashes from the database,” the LastPass Team explained on the company blog. “We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.”

The company is investigating the matter, but it’s still in the dark about what actually happened and what attack vector has been used – if, indeed, the anomalies are the result of an attack. “We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn’t find any indications on the box itself of tampering, the database didn’t show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on,” they say.

It’s heartening to see that the company takes security very seriously and that it’s closely monitoring its assets. It is also good to see that it has been working on improving its security stance, and that it’s rolling out a stronger password hashing system – PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds.

Other taken precautions involve the temporary move of services from the affected boxes, their rebuilding and the verification of website and plugins source code. According to them, the repository has not been tampered with.

Aside from forcing users to change their master password, LastPass will check their identity either by requesting that they access the account from a IP block they have used before or by validating their email addresses – just in case their password was brute-forced. Naturally, they also advise users to change their passwords to something more complex.

As prompt as LastPass has been in reacting to this potential breach in order to protect its customers, I can’t help but be amused by their unfortunate choice of slogan. As it turns out, that wasn’t the last password the users would have to remember.

UPDATE: Duo Security’s Jon Oberheide thinks that the Asterisk server that was exposed to the Internet mentioned by LastPass in the blog post could have been the attackers’ initial entry point into the system, since Asterisk has a bad security track record.

In any case, here is what he recommends to LastPass users in order to limit the exposure of their credentials now and in the future:

• Go through your LastPass keychain and change your passwords for any websites that are important to you. If you want ensure you’re safe, you should assume that the master password database and encrypted blobs were exfiltrated and that the attackers will be successful in cracking your master password, thereby recovering all the saved entries in your keychain. Better safe than sorry.
• Never store sensitive passwords in your LastPass keychain. LastPass is great for all of the random non-critical websites you browse and log in to on a daily basis, but the risk of exposure is too great to trust it for highly sensitive credentials (eg. online banking credentials).
• Regardless of the outcome of this incident, you should be using a master password that follows strong password guidelines and includes mixed-case alpha, numeric, and special characters.
• And lastly, encourage the websites you frequent to employ two-factor authentication, so that we can kill all of these password management headaches once and for all.