LastPass, one of the most popular cloud-based password management services, is forcing users to change their master passwords as a precaution after it discovered an unauthorized data transfer out of its network.
In a post on its blog the company explains, in sufficient detail, what prompted this measure, why it was the best course of action and what it means for users.
On May 3, the company detected larger than normal outbound traffic and immediately launched an internal audit to determine the source.
Such transfers have been detected before, but each time the origin was determined to be an employee or an automated script.
"In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction.
"Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed," the LastPas team explains.
The size of the transfer was big enough to include people's email addresses, salted master password hashes and the server salt, but not encrypted data blobs which contain people's stored passwords and form data.
The biggest risk, if indeed this information was stolen, are brute force attacks executed against the hashes to recover the original passwords. However, the success of such attempts depends on the algorithm used and the complexity of each password.
To be on the safe side, LastPass has decided to force its users to change their master passwords if and when they attempt to authenticate from an IP address that is not already stored in the account's login history.
The password change will also force users to prove their identity by validating their email addresses or connecting from a known IP address.
In addition, the company has taken other measures like rebuilding the affected boxes, verifying the integrity of the website and plug-ins code against offline repository snapshots and preparing to roll out PBKDF2 (Password-Based Key Derivation Function), a security mechanism that involves re-salting password hashes many times to make cracking extremely difficult.
"We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later," the company said.
While this incident might look bad, the LastPass should be commended for its openness. Not only did it come out with warnings and proactive measures before any hard evidence of a compromise was found, but it also provided more details about what happened and what was done than most companies do.
In a post on its blog the company explains, in sufficient detail, what prompted this measure, why it was the best course of action and what it means for users.
On May 3, the company detected larger than normal outbound traffic and immediately launched an internal audit to determine the source.
Such transfers have been detected before, but each time the origin was determined to be an employee or an automated script.
"In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction.
"Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed," the LastPas team explains.
The size of the transfer was big enough to include people's email addresses, salted master password hashes and the server salt, but not encrypted data blobs which contain people's stored passwords and form data.
The biggest risk, if indeed this information was stolen, are brute force attacks executed against the hashes to recover the original passwords. However, the success of such attempts depends on the algorithm used and the complexity of each password.
To be on the safe side, LastPass has decided to force its users to change their master passwords if and when they attempt to authenticate from an IP address that is not already stored in the account's login history.
The password change will also force users to prove their identity by validating their email addresses or connecting from a known IP address.
In addition, the company has taken other measures like rebuilding the affected boxes, verifying the integrity of the website and plug-ins code against offline repository snapshots and preparing to roll out PBKDF2 (Password-Based Key Derivation Function), a security mechanism that involves re-salting password hashes many times to make cracking extremely difficult.
"We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later," the company said.
While this incident might look bad, the LastPass should be commended for its openness. Not only did it come out with warnings and proactive measures before any hard evidence of a compromise was found, but it also provided more details about what happened and what was done than most companies do.
