Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:27 PM
Connect Directly

Password Manager Service LastPass Investigating Possible Database Breach

Users must change master passwords -- but not all right now

The "last password you'll ever need" now requires a reset: LastPass is forcing users of the password manager service to change the single master password they created for accessing websites, virtual private networks, and Web mail accounts via the tool. The move comes in response to the company's discovery of unusual network activity around one of its databases.

LastPass says it detected a "network traffic anomaly" in a noncritical server that led to the discovery of a similar problem with its database that houses email addresses and salted password hashes: More traffic was going out of the server than was going in.

"Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transferred and that it's big enough to have transferred people's email addresses, the server salt, and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs," LastPass said in its company blog.

Joe Siegrist, CEO of LastPass, told Dark Reading that this doesn't appear to be the result of a SQL injection attack because there aren't any "large or suspicious Web requests in the Web logs."

"We don't know details. We know that there was traffic we can't account for, so we're taking a 'worst possible scenario' view, which we think is appropriate," Siegrist says. "We are not emailing users. We lock them out if they're not coming from a known IP, and then redirecting [them] to a URL explaining [why]."

Users with strong passwords that are not dictionary-based should be safe: The biggest threat is an attacker brute-force hacking master passwords and then using that to get to users' data, according to LastPass. But erring on the side of caution, the company is forcing all users to change master passwords, and is also checking IPs and validating emails to ensure the users are who they say are, just in case.

But the password-changing traffic ended up overwhelming LastPass today traffic-wise, so not all users have to change their master passwords right away. "We're overloaded handling support and the sheer load of password changes is slowing us down. We've implemented a way for you to verify your email and then not be immediately forced to change your password for that IP, access from any other IP would bring you back to email verification. You can now wait a few days if you know you'll be on the same IP without loss of security, and due to this overloading we think that's prudent to wait," the company said in a blog post update a few minutes ago. "We're asking if you're not being asked to change your password then hold off -- we're protecting everyone."

One security expert says the biggest concern would be if attackers indeed got to this database, that they could then get the plain-text passwords and pose as the user to gain access to the user's email accounts or online banking accounts. "Resetting the master password is a good thing because [the attacker] couldn't use it anymore, but all of the individual passwords could be utilized for them to log into" the user's Web-based accounts, says Jeremy Conway, senior security researcher and product manager at NitroSecurity.

"I'm assuming the master password gets you into the system, and LastPass generates individual, unique strong passwords to all of the [user's] individual services. If you can crack all of the passwords from the database server and just use them to log into your email or VPN ... I assume [an attacker] could still use those," and those services wouldn't know it wasn't the actual user logging in, Conway says.

"Even if LastPass regenerates everything, you have the individual services depending on those [initial] usernames and passwords," he says. The user himself would theoretically then have to reset all of them individually, he says.

But LastPass' Siegrist says given the amount of data his firm saw being siphoned out of its database, only a limited number of users are at risk of this. "We know the scale of data transferred, and it would only be a few hundred peoples' data that could be accessed that way, and even then only if they utilized a brute-forceable password.

"If we put ourselves in the attackers' shoes, we'd go after everyone's hashes, salts, and attack them that way, as it's more likely with more people to find someone not using a strong one," he says.

LastPass said in its blog post that its Asterisk phone server was overly accessible via UDP, but there was no sign of tampering there or of an attacker gaining administrative access to the database. Its source code and plug-ins appear to be intact also, and there's no sign of database-tampering. "We're rebuilding the boxes in question and have shut down and moved services from them in the meantime," according to the company's blog.

Meanwhile, Siegrist says the company plans to deploy a higher-end IPS and enlist an external firm to help with the investigation into what really happened. The company also is rolling out SHA-256 encryption on the server.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.
PUBLISHED: 2020-08-11
radare2 4.5.0 misparses signature information in PE files, causing a segmentation fault in r_x509_parse_algorithmidentifier in libr/util/x509.c. This is due to a malformed object identifier in IMAGE_DIRECTORY_ENTRY_SECURITY.