Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/5/2011
01:27 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Password Manager Service LastPass Investigating Possible Database Breach

Users must change master passwords -- but not all right now

The "last password you'll ever need" now requires a reset: LastPass is forcing users of the password manager service to change the single master password they created for accessing websites, virtual private networks, and Web mail accounts via the tool. The move comes in response to the company's discovery of unusual network activity around one of its databases.

LastPass says it detected a "network traffic anomaly" in a noncritical server that led to the discovery of a similar problem with its database that houses email addresses and salted password hashes: More traffic was going out of the server than was going in.

"Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transferred and that it's big enough to have transferred people's email addresses, the server salt, and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs," LastPass said in its company blog.

Joe Siegrist, CEO of LastPass, told Dark Reading that this doesn't appear to be the result of a SQL injection attack because there aren't any "large or suspicious Web requests in the Web logs."

"We don't know details. We know that there was traffic we can't account for, so we're taking a 'worst possible scenario' view, which we think is appropriate," Siegrist says. "We are not emailing users. We lock them out if they're not coming from a known IP, and then redirecting [them] to a URL explaining [why]."

Users with strong passwords that are not dictionary-based should be safe: The biggest threat is an attacker brute-force hacking master passwords and then using that to get to users' data, according to LastPass. But erring on the side of caution, the company is forcing all users to change master passwords, and is also checking IPs and validating emails to ensure the users are who they say are, just in case.

But the password-changing traffic ended up overwhelming LastPass today traffic-wise, so not all users have to change their master passwords right away. "We're overloaded handling support and the sheer load of password changes is slowing us down. We've implemented a way for you to verify your email and then not be immediately forced to change your password for that IP, access from any other IP would bring you back to email verification. You can now wait a few days if you know you'll be on the same IP without loss of security, and due to this overloading we think that's prudent to wait," the company said in a blog post update a few minutes ago. "We're asking if you're not being asked to change your password then hold off -- we're protecting everyone."

One security expert says the biggest concern would be if attackers indeed got to this database, that they could then get the plain-text passwords and pose as the user to gain access to the user's email accounts or online banking accounts. "Resetting the master password is a good thing because [the attacker] couldn't use it anymore, but all of the individual passwords could be utilized for them to log into" the user's Web-based accounts, says Jeremy Conway, senior security researcher and product manager at NitroSecurity.

"I'm assuming the master password gets you into the system, and LastPass generates individual, unique strong passwords to all of the [user's] individual services. If you can crack all of the passwords from the database server and just use them to log into your email or VPN ... I assume [an attacker] could still use those," and those services wouldn't know it wasn't the actual user logging in, Conway says.

"Even if LastPass regenerates everything, you have the individual services depending on those [initial] usernames and passwords," he says. The user himself would theoretically then have to reset all of them individually, he says.

But LastPass' Siegrist says given the amount of data his firm saw being siphoned out of its database, only a limited number of users are at risk of this. "We know the scale of data transferred, and it would only be a few hundred peoples' data that could be accessed that way, and even then only if they utilized a brute-forceable password.

"If we put ourselves in the attackers' shoes, we'd go after everyone's hashes, salts, and attack them that way, as it's more likely with more people to find someone not using a strong one," he says.

LastPass said in its blog post that its Asterisk phone server was overly accessible via UDP, but there was no sign of tampering there or of an attacker gaining administrative access to the database. Its source code and plug-ins appear to be intact also, and there's no sign of database-tampering. "We're rebuilding the boxes in question and have shut down and moved services from them in the meantime," according to the company's blog.

Meanwhile, Siegrist says the company plans to deploy a higher-end IPS and enlist an external firm to help with the investigation into what really happened. The company also is rolling out SHA-256 encryption on the server.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4396
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 1...
CVE-2020-4410
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products could allow an authenticated user to send a specially crafted HTTP GET request to read attachments on the server that they should not have access to. IBM X-Force ID: 179539.
CVE-2020-4459
PUBLISHED: 2020-08-04
IBM Security Verify Access 10.7 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 181395.
CVE-2020-4525
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 1...
CVE-2020-4542
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-force ID: 1...