Jump to content



Photo

LastPass resets passwords following possible hack


  • Please log in to reply
17 replies to this topic

#1 +Frank B.

Frank B.

    Member N° 1,302

  • 23,493 posts
  • Joined: 18-September 01
  • Location: Frankfurt, DE
  • OS: OS X 10.10
  • Phone: Sony Xperia Z2

Posted 05 May 2011 - 12:21

LastPass resets passwords following possible hack
Precautionary change-up

Password management system LastPass has reset users' master passwords as a precaution following the discovery of a possible hack attack against its systems.

The move follows the detection of two anomalies – one affecting a database server – on LastPass's network on Tuesday that could be the result of a possible hack attack. LastPass detected that more traffic had been sent from the database than had been received by a server, an event that might be explained by hackers extracting sensitive login credentials, stored in an obfuscated (hashed) format.

The worst case scenario is that miscreants might have swiped password hashes, a development that leaves users who selected easier-to-guess passphrases at risk of brute-force dictionary attacks. Once uncovered, these login credentials might be used to obtain access to all the login credentials stored through the service, as LastPass explains in a blog post (extract below).

If you have a strong, non-dictionary-based password or pass phrase, this shouldn't impact you – the potential threat here is brute-forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute-forcing.

To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address...

We realise this may be an overreaction and we apologise for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.


LastPass's decision to reset passwords as a precaution has made it difficult for some legitimate users to log onto the service again. Tips on re-enabling accounts can be found in a blog post by Chris Boyd, a security researcher at GFI Security, here.

The password-management outfit has taken the possible attack and resulting service disruption as the opportunity to introduce a stronger password hashing system. Although LastPass isn't sure how hackers might have entered its network – if indeed that's what happened – an assault based on an initial break-in via its Voice over IP system is the company's best initial guess as to what might have gone wrong.

This week's security flap at LastPass.com follows a security breach just six weeks ago that created a means to extract the email addresses – though not the passwords – of enrolled users. The two incidents are not thought to be related. ®

Source: The Register


#2 Singh400

Singh400

    Neowinian Senior

  • 5,839 posts
  • Joined: 02-February 10

Posted 05 May 2011 - 12:38

Exactly why I don't use a service like LastPass. It's all fine and dandy until it gets hacked.

#3 +FiB3R

FiB3R

    aka DARKFiB3R

  • 7,413 posts
  • Joined: 06-November 02
  • Location: SE London
  • OS: Windows 8.1 Enterprise
  • Phone: Lumia 930

Posted 05 May 2011 - 12:57

They haven't reset them, otherwise you wouldn't be able to log in, right? You'd have to request a new password instead.

I was having probs logging in via the site, but eventually got in via the firefox add-on and changed my password.

Why does it take a kick up the arse for company's to improve their security?


http://blog.lastpass...tification.html

#4 em3

em3

    Neowinian

  • 1,327 posts
  • Joined: 24-March 04
  • OS: Windows 8

Posted 05 May 2011 - 13:40

Exactly why I don't use a service like LastPass. It's all fine and dandy until it gets hacked.

Yea, I've thought of this too. However I created a Lastpass account this week and started to fill it with a few sites I use to try it out, and I think it's really convenient since it fills all login fields automatically, something that KeePass doesn't.

#5 +Boo Berry

Boo Berry

    Neowinian Ghost

  • 3,862 posts
  • Joined: 26-March 05
  • Location: United States

Posted 05 May 2011 - 16:08

Not good, but I reset my already strong password nonetheless.

#6 compl3x

compl3x

    Feels good, dunnit?

  • 8,403 posts
  • Joined: 06-December 09
  • Location: Melbourne, Australia
  • OS: Windows 7
  • Phone: Samsung Galaxy S4

Posted 05 May 2011 - 16:46

I have a strong non-dictionary based password. I'm not going to have all my passwords in one place and have "password" or "dafodil" as my master pass. :rolleyes:

#7 alexalex

alexalex

    Neowinian Senior

  • 2,377 posts
  • Joined: 25-February 11

Posted 05 May 2011 - 16:50

How to migrate from the online LastPass to the free offline KeePass and change ALL saved passwords :

http://www.ghacks.ne...ent-what-i-did/

#8 +Xinok

Xinok

    Resident Reresident

  • 3,495 posts
  • Joined: 28-May 04
  • Location: Shikaka
  • OS: Windows 7 x64
  • Phone: Galaxy S3 (Wicked)

Posted 05 May 2011 - 19:15

If you have a strong, non-dictionary-based password or pass phrase, this shouldn't impact you – the potential threat here is brute-forcing your master password using dictionary words...

LastPass is no different than uploading KeePass to your DropBox account. It uses strong encryption and as long as you choose a strong password, there's nothing to be worried about.

#9 alisalem

alisalem

    Neowinian

  • 611 posts
  • Joined: 30-July 08
  • Location: Dubai, UAE
  • OS: OS X Mavericks
  • Phone: Google Nexus 5 (16GB Black)

Posted 05 May 2011 - 19:17

I did a stupid mistake. I though the extension was broken on Chrome so I uninstalled/reinstalled and now I don't have any passwords locally and of course, I cannot login to change my password and they offer no reset option.

#10 liju

liju

    CyberSurfeR

  • 602 posts
  • Joined: 04-December 09
  • Location: Kerala, India

Posted 05 May 2011 - 21:37

I did a stupid mistake. I though the extension was broken on Chrome so I uninstalled/reinstalled and now I don't have any passwords locally and of course, I cannot login to change my password and they offer no reset option.


From LastPass Blog:

Update 3, ~4:30pm EST:

Logging in offline should be working everywhere if you have logged in using that client before, if you're having problems with this please attempt to login via the website: https://lastpass.com/?ac=1 that should now take you through an email process to enable your current IP.

If you're having problems getting your data with pocket, make sure you're selecting to login to the local file, not logging in at LastPass.com.



#11 alisalem

alisalem

    Neowinian

  • 611 posts
  • Joined: 30-July 08
  • Location: Dubai, UAE
  • OS: OS X Mavericks
  • Phone: Google Nexus 5 (16GB Black)

Posted 05 May 2011 - 22:04

From LastPass Blog:


Thanks! It's working!

#12 jwoodfin09

jwoodfin09

    Neowinian

  • 302 posts
  • Joined: 17-February 10

Posted 06 May 2011 - 02:15

Not working for me

#13 robertwnielsen

robertwnielsen

    Neowinian

  • 308 posts
  • Joined: 16-February 08
  • Location: Urbandale, IA USA

Posted 06 May 2011 - 02:21

Interestingly enough, I hadn't been able to log in with my original account....created a new account, under a new email address, and it works again. Of course, now I have to reenter (and change) a s**tload of passwords, but that's okay. XD

#14 LiquidSolstice

LiquidSolstice

    Neowinian Senior

  • 4,801 posts
  • Joined: 08-April 09

Posted 06 May 2011 - 04:20

Which is why you use KeePass on a local drive instead of LastPass on the cloud.

Local storage that's on a removable drive that you insert only when you need it = WAY more secure than cloud-based LastPass.

#15 DPyro

DPyro

    Neowinian Senior

  • 2,234 posts
  • Joined: 11-December 05
  • Location: Ontario,Canada

Posted 06 May 2011 - 15:00

Does keepass automatically enter your user info for websites?