Popular web-based password vault LastPass is forcing thousands of users to change master passwords following a potential data breach.
The respected security service warned users via email that it detected “an anomaly” in network traffic which it said may be a result of the theft of email address and passwords from its network.
LastPass is billed as “the last password you’ll ever need” because it stores online identities protected by a master password.
A slight increase in outbound traffic was detected from a non-critical server and separately from a database which the company said could not be explained.
“In this case, we couldn't find that root cause,” it said in an email. “…we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed.”
The company said it knows “roughly” how much data was transferred which is “big enough to have transferred people's email addresses, the server salt and their salted password hashes from the database”.
It is not enough to move whole encrypted password vaults, the company said.
Users must also either login to the service through a previous IP address block or by validating the used email address.
“The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.”
Brute force attacks would be required to break the salted passwords.
LastPass in response will bolster its security by implementing the PBKDF2 Key Derivation Function and SHA-256 cryptographic hash on its server with a 256-bit salt that uses100,000 rounds.
“In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we'll continue to find ways to reduce how large a target we are.”
Users locked out of their email accounts, if for instance they relied on LastPass to log in, can use any of the multiple LastPass plugins in offline mode using their existing master password.
The company has bucked the trend by disclosing the anomaly, the risk of a data breach, and taking long-term steps to strengthen security.
In February, it was quick to disclose a Cross Site Scripting flaw and took lengthy steps to rectify the problem.
Meanwhile, Sony and email provider Epsilon were chastised for lax disclosure efforts after they were each hit with massive data breaches.
.png&h=140&w=231&c=1&s=0)
