LastPass hits the master password change button after alert

The move means that users must either authenticate themselves using one of their `normal' IP addresses when accessing the service, or use an email-based authentication approach.

The master password reset situation has reportedly `stranded' many LastPass users without access to the sites they use with the service's web browser add-in, and which automate the login process on most websites.

This appears to be because users are unable to authenticate themselves to the service using an IP address or email basis. Whilst it's unclear how many users are affected, the update process has not affected all members yet, suggesting that LastPass is staging the process.

In its blog advisory on the site, posted yesterday morning, LastPass said: "we noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password."

"We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script."

"In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server)."

"Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transferred and that it's big enough to have transferred people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs."

According to LastPass, whilst it realises this step may be an over- reaction - "and we apologise for the disruption this will cause" - "we'd rather be paranoid and slightly inconvenience you than to be even more sorry later."

As a result of the saga, the service is upgrading security on all its systems, to prevent a possible recurrence in the future.

Commenting on the master password reset, security researcher Brian Krebs said that LastPass has around 1.25 million users and, whilst it has done a good job in designing a secure service, "looks like they dropped the ball a bit in testing and hardening their internal infrastructure."

"Still, their (apparent) transparency about what happened is a refreshing change from the brand of disclosure practised in the wake of other, much larger breaches of late", he noted.

 

What’s hot on Infosecurity Magazine?