Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/5/2011
01:27 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Password Manager Service LastPass Investigating Possible Database Breach

Users must change master passwords -- but not all right now

The "last password you'll ever need" now requires a reset: LastPass is forcing users of the password manager service to change the single master password they created for accessing websites, virtual private networks, and Web mail accounts via the tool. The move comes in response to the company's discovery of unusual network activity around one of its databases.

LastPass says it detected a "network traffic anomaly" in a noncritical server that led to the discovery of a similar problem with its database that houses email addresses and salted password hashes: More traffic was going out of the server than was going in.

"Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transferred and that it's big enough to have transferred people's email addresses, the server salt, and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs," LastPass said in its company blog.

Joe Siegrist, CEO of LastPass, told Dark Reading that this doesn't appear to be the result of a SQL injection attack because there aren't any "large or suspicious Web requests in the Web logs."

"We don't know details. We know that there was traffic we can't account for, so we're taking a 'worst possible scenario' view, which we think is appropriate," Siegrist says. "We are not emailing users. We lock them out if they're not coming from a known IP, and then redirecting [them] to a URL explaining [why]."

Users with strong passwords that are not dictionary-based should be safe: The biggest threat is an attacker brute-force hacking master passwords and then using that to get to users' data, according to LastPass. But erring on the side of caution, the company is forcing all users to change master passwords, and is also checking IPs and validating emails to ensure the users are who they say are, just in case.

But the password-changing traffic ended up overwhelming LastPass today traffic-wise, so not all users have to change their master passwords right away. "We're overloaded handling support and the sheer load of password changes is slowing us down. We've implemented a way for you to verify your email and then not be immediately forced to change your password for that IP, access from any other IP would bring you back to email verification. You can now wait a few days if you know you'll be on the same IP without loss of security, and due to this overloading we think that's prudent to wait," the company said in a blog post update a few minutes ago. "We're asking if you're not being asked to change your password then hold off -- we're protecting everyone."

One security expert says the biggest concern would be if attackers indeed got to this database, that they could then get the plain-text passwords and pose as the user to gain access to the user's email accounts or online banking accounts. "Resetting the master password is a good thing because [the attacker] couldn't use it anymore, but all of the individual passwords could be utilized for them to log into" the user's Web-based accounts, says Jeremy Conway, senior security researcher and product manager at NitroSecurity.

"I'm assuming the master password gets you into the system, and LastPass generates individual, unique strong passwords to all of the [user's] individual services. If you can crack all of the passwords from the database server and just use them to log into your email or VPN ... I assume [an attacker] could still use those," and those services wouldn't know it wasn't the actual user logging in, Conway says.

"Even if LastPass regenerates everything, you have the individual services depending on those [initial] usernames and passwords," he says. The user himself would theoretically then have to reset all of them individually, he says.

But LastPass' Siegrist says given the amount of data his firm saw being siphoned out of its database, only a limited number of users are at risk of this. "We know the scale of data transferred, and it would only be a few hundred peoples' data that could be accessed that way, and even then only if they utilized a brute-forceable password.

"If we put ourselves in the attackers' shoes, we'd go after everyone's hashes, salts, and attack them that way, as it's more likely with more people to find someone not using a strong one," he says.

LastPass said in its blog post that its Asterisk phone server was overly accessible via UDP, but there was no sign of tampering there or of an attacker gaining administrative access to the database. Its source code and plug-ins appear to be intact also, and there's no sign of database-tampering. "We're rebuilding the boxes in question and have shut down and moved services from them in the meantime," according to the company's blog.

Meanwhile, Siegrist says the company plans to deploy a higher-end IPS and enlist an external firm to help with the investigation into what really happened. The company also is rolling out SHA-256 encryption on the server.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18216
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.