LastPass resets passwords following possible hack

By +Frank B.
in Back Page News

 Share

Recommended Posts

Grand Master

+Frank B. Subscriber²

Posted
  • Subscriber²
Posted

LastPass resets passwords following possible hack

Precautionary change-up

Password management system LastPass has reset users' master passwords as a precaution following the discovery of a possible hack attack against its systems.

The move follows the detection of two anomalies ? one affecting a database server ? on LastPass's network on Tuesday that could be the result of a possible hack attack. LastPass detected that more traffic had been sent from the database than had been received by a server, an event that might be explained by hackers extracting sensitive login credentials, stored in an obfuscated (hashed) format.

The worst case scenario is that miscreants might have swiped password hashes, a development that leaves users who selected easier-to-guess passphrases at risk of brute-force dictionary attacks. Once uncovered, these login credentials might be used to obtain access to all the login credentials stored through the service, as LastPass explains in a blog post (extract below).

If you have a strong, non-dictionary-based password or pass phrase, this shouldn't impact you ? the potential threat here is brute-forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute-forcing.

To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address...

We realise this may be an overreaction and we apologise for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.

LastPass's decision to reset passwords as a precaution has made it difficult for some legitimate users to log onto the service again. Tips on re-enabling accounts can be found in a blog post by Chris Boyd, a security researcher at GFI Security, here.

The password-management outfit has taken the possible attack and resulting service disruption as the opportunity to introduce a stronger password hashing system. Although LastPass isn't sure how hackers might have entered its network ? if indeed that's what happened ? an assault based on an initial break-in via its Voice over IP system is the company's best initial guess as to what might have gone wrong.

This week's security flap at LastPass.com follows a security breach just six weeks ago that created a means to extract the email addresses ? though not the passwords ? of enrolled users. The two incidents are not thought to be related. ?

Source: The Register

Grand Master

FiB3R

Posted
Posted

They haven't reset them, otherwise you wouldn't be able to log in, right? You'd have to request a new password instead.

I was having probs logging in via the site, but eventually got in via the firefox add-on and changed my password.

Why does it take a kick up the arse for company's to improve their security?

http://blog.lastpass.com/2011/05/lastpass-security-notification.html

Mentor

em3

Posted
Posted

Exactly why I don't use a service like LastPass. It's all fine and dandy until it gets hacked.

Yea, I've thought of this too. However I created a Lastpass account this week and started to fill it with a few sites I use to try it out, and I think it's really convenient since it fills all login fields automatically, something that KeePass doesn't.

Grand Master

+Xinok Subscriber²

Posted
  • Subscriber²
Posted
If you have a strong, non-dictionary-based password or pass phrase, this shouldn't impact you ? the potential threat here is brute-forcing your master password using dictionary words...

LastPass is no different than uploading KeePass to your DropBox account. It uses strong encryption and as long as you choose a strong password, there's nothing to be worried about.

Proficient

alisalem

Posted
Posted

I did a stupid mistake. I though the extension was broken on Chrome so I uninstalled/reinstalled and now I don't have any passwords locally and of course, I cannot login to change my password and they offer no reset option.

Rising Star

liju

Posted
Posted

I did a stupid mistake. I though the extension was broken on Chrome so I uninstalled/reinstalled and now I don't have any passwords locally and of course, I cannot login to change my password and they offer no reset option.

From LastPass Blog:

Update 3, ~4:30pm EST:

Logging in offline should be working everywhere if you have logged in using that client before, if you're having problems with this please attempt to login via the website: https://lastpass.com/?ac=1 that should now take you through an email process to enable your current IP.

If you're having problems getting your data with pocket, make sure you're selecting to login to the local file, not logging in at LastPass.com.

Experienced

robertwnielsen

Posted
Posted

Interestingly enough, I hadn't been able to log in with my original account....created a new account, under a new email address, and it works again. Of course, now I have to reenter (and change) a s**tload of passwords, but that's okay. XD

Contributor

LaserWraith

Posted
Posted

Which is why you use KeePass on a local drive instead of LastPass on the cloud.

Local storage that's on a removable drive that you insert only when you need it = WAY more secure than cloud-based LastPass.

Of course, KeePass is probably more secure (unless your computer is stolen while you were logged in, etc...). But it is less convenient. I have multiple computers, and it is nice to have my passwords synced across them (and smartphones). Besides, LastPass only has the salted hash of your passwords. Not much of a problem if you have a good master password.

Grand Master

dragon2611

Posted
Posted

I have a strong non-dictionary based password. I'm not going to have all my passwords in one place and have "password" or "dafodil" as my master pass. :rolleyes:

Having a yubikey also helps with the security, although the silly thing is you can just disable the 2 factor authentication by sending a verification email :-/

Personally I always think the reliance on your email account for disabling 2factor/resetting stuff is the weakest part of the system.

Saying that a lot of individual websites will use your email address to reset the password anyway so it's not that much of a problem just means they have to reset 1 login instead of lots.

Edit:

Ah yes I'm being stupid, you can disable the 2nd authentication factor via confirming an email link but you can't actually reset the master password that way, which makes sense given that they claim not to be able to decrypt your passwords at their end.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Waymo recalls self-driving software after cars enter closed freeway work zones

      By RangerLG · Posted

      Just saw a news report of a Waymo driving into a flooded road.
    • Password Safe 3.72.0

      By Copernic · Posted

      Password Safe 3.72.0 by Razvan Serea Password Safe is a password database utility. Like many other such products, commercial and otherwise, it stores your passwords in an encrypted file, allowing you to remember only one password (the "safe combination"), instead of all the username/password combinations that you use. Once stored, your user names and passwords are just a few clicks away. Using Password Safe you can organize your passwords using your own customizable references—for example, by user ID, category, web site, or location. You can choose to store all your passwords in a single encrypted master password list (an encrypted password database), or use multiple databases to further organize your passwords (work and home, for example). And with its intuitive interface you will be up and running in minutes. PasswordSafe was originally designed by the renowned security technologist Bruce Schneier and released as a free utility application. Password Safe 3.72.0 changelog: Fixed bugs Improved font scale handling - should resolve font size issues on high resolution displays. GH1749 In the Master Password Setup window, "Show Master Password" is no longer truncated on some displays. GH1092, SF1595 Size and position of main window is now correctly restored on scaled displays. SF1630 Keep password expiry date when both password and password expiry are changed; don't clear a non-recurring expiry when the password's changed. SF1628 Custom values can now be copied to the clipboard in read-only mode via Ctrl-C and right-click->Copy Value. New features GH1196 Dark display mode support: Password Safe now supports the system display mode, as well as setting the mode directly via Manage->Options->Display->Display Mode. This change also updates the general "look & feel" of the app to the current Windows theme. Known limitations: The Date picker and keyboard shortcut controls do not switch to dark theme The Customize Toolbar dialog does not switch to dark theme Custom Field support has been added to the more advanced features: Filters XML and Text import and export Comparison, Sync and Merge databases SF938 Custom field values may now be selected by name and copied via a "Copy Custom Field Value..." submenu in the entry context popup menu. SF936 Notes and Custom fields layout now overlap, selectable by tabs, resulting in a more compact and less cluttered layout. SF935 Autotype: Specifying '\v{name}' in the autotype text will cause the corresponding value to be autotyped. Download: PasswordSafe 64-bit | Portable 64-bit | ~20.0 MB (Open Source) Download: PasswordSafe 32-bit | Portable 32-bit View: PasswordSafe Website | Quickstart Guide | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Google DeepMind AI Control Roadmap: When Alignment Fails, Defense-in-Depth Takes Over

      By +TRS-80 · Posted

      Google DeepMind published a document on June 18, 2026, that may be the most consequential admission yet from a frontier AI lab: alignment training alone cannot guarantee that AI agents will remain under human control, so structural containment must be built before more capable models arrive.............. https://www.techtimes.com/articles/318758/20260620/google-deepmind-ai-control-roadmap-when-alignment-fails-defense-depth-takes-over.htm  
    • Creative Sound Blaster AE-X PCIe review: your headphones will love it

      By Taliseian · Posted

      I've got a SoundBlasterX G6 that I use in my streaming setup. Sounds great to me and I've had zero issues with the ancient software package so far in Win11. That G6 has 7.1, Dolby, fully working SPDIF and since it's a USB device it's outside of my rig so I don't have to worry about EMF distortion. Looks like for now this is a pass for me as I think I have better hardware....
    • Creative Sound Blaster AE-X PCIe review: your headphones will love it

      By OldGuru · Posted

      How do you connect 5.1 Speakers to this thing?

  • Recent Achievements

    • Dedicated
      Almohandis earned a badge
      Dedicated
    • Dedicated
      JuvenileDelinquent earned a badge
      Dedicated
    • First Post
      DrWankel earned a badge
      First Post
    • Reacting Well
      DrWankel earned a badge
      Reacting Well
    • Week One Done
      Supreme Spray LV earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      503
    2. 2
      +Edouard
      170
    3. 3
      PsYcHoKiLLa
      88
    4. 4
      Steven P.
      75
    5. 5
      Michael Scrip
      74
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!