Password Manager Service LastPass Investigating Possible Database Breach

The "last password you'll ever need" now requires a reset: LastPass is forcing users of the password manager service to change the single master password they created for accessing websites, virtual private networks, and Web mail accounts via the tool. The move comes in response to the company's discovery of unusual network activity around one of its databases.

LastPass says it detected a "network traffic anomaly" in a noncritical server that led to the discovery of a similar problem with its database that houses email addresses and salted password hashes: More traffic was going out of the server than was going in.

"Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transferred and that it's big enough to have transferred people's email addresses, the server salt, and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs," LastPass said in its company blog.

Joe Siegrist, CEO of LastPass, told Dark Reading that this doesn't appear to be the result of a SQL injection attack because there aren't any "large or suspicious Web requests in the Web logs."

"We don't know details. We know that there was traffic we can't account for, so we're taking a 'worst possible scenario' view, which we think is appropriate," Siegrist says. "We are not emailing users. We lock them out if they're not coming from a known IP, and then redirecting [them] to a URL explaining [why]."

Users with strong passwords that are not dictionary-based should be safe: The biggest threat is an attacker brute-force hacking master passwords and then using that to get to users' data, according to LastPass. But erring on the side of caution, the company is forcing all users to change master passwords, and is also checking IPs and validating emails to ensure the users are who they say are, just in case.

But the password-changing traffic ended up overwhelming LastPass today traffic-wise, so not all users have to change their master passwords right away. "We're overloaded handling support and the sheer load of password changes is slowing us down. We've implemented a way for you to verify your email and then not be immediately forced to change your password for that IP, access from any other IP would bring you back to email verification. You can now wait a few days if you know you'll be on the same IP without loss of security, and due to this overloading we think that's prudent to wait," the company said in a blog post update a few minutes ago. "We're asking if you're not being asked to change your password then hold off -- we're protecting everyone."

One security expert says the biggest concern would be if attackers indeed got to this database, that they could then get the plain-text passwords and pose as the user to gain access to the user's email accounts or online banking accounts. "Resetting the master password is a good thing because [the attacker] couldn't use it anymore, but all of the individual passwords could be utilized for them to log into" the user's Web-based accounts, says Jeremy Conway, senior security researcher and product manager at NitroSecurity.

"I'm assuming the master password gets you into the system, and LastPass generates individual, unique strong passwords to all of the [user's] individual services. If you can crack all of the passwords from the database server and just use them to log into your email or VPN ... I assume [an attacker] could still use those," and those services wouldn't know it wasn't the actual user logging in, Conway says.

"Even if LastPass regenerates everything, you have the individual services depending on those [initial] usernames and passwords," he says. The user himself would theoretically then have to reset all of them individually, he says.

But LastPass' Siegrist says given the amount of data his firm saw being siphoned out of its database, only a limited number of users are at risk of this. "We know the scale of data transferred, and it would only be a few hundred peoples' data that could be accessed that way, and even then only if they utilized a brute-forceable password.

"If we put ourselves in the attackers' shoes, we'd go after everyone's hashes, salts, and attack them that way, as it's more likely with more people to find someone not using a strong one," he says.

LastPass said in its blog post that its Asterisk phone server was overly accessible via UDP, but there was no sign of tampering there or of an attacker gaining administrative access to the database. Its source code and plug-ins appear to be intact also, and there's no sign of database-tampering. "We're rebuilding the boxes in question and have shut down and moved services from them in the meantime," according to the company's blog.

Meanwhile, Siegrist says the company plans to deploy a higher-end IPS and enlist an external firm to help with the investigation into what really happened. The company also is rolling out SHA-256 encryption on the server.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.