BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Password Manager LastPass Suffers Hacking Attack

Password Manager LastPass Suffers Hacking Attack

This item in japanese

Bookmarks

The web-based LastPass password management service was hacked on Friday, June 12, 2015 according to a company announcement made on June 15.  According to the firm, “... LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised” by this intrusion.  Calling the attack “suspicious activity”, the firm says that they “... are confident that our encryption measures are sufficient to protect the vast majority of users”.

LastPass says that it uses several techniques to secure authentication hashes, including “[strengthening] the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side.”  These measures are intended to prevent fast attacks on the hashes by those in possession of them.  Now that these user authentication hashes are in the wild, the firm is taking several measures to prevent their misuse.  Users logging in from a new IP or device are required to verify their account by email (unless multifactor authentication is enabled.)  All users are also being sent an email from LastPass asking them to change their master password.

In an updated post dated June 16, 2015, the firm has provided additional answers to users questioning LastPass's response to the incident.  Per this post, firm states that it never has access to the unencrypted master password-- before being sent to the LastPass servers it is locally salted which is in addition to the server-side strengthening described above.  According to LastPass, each user's master password has a unique “per-user” salt.  This means each user has to be attacked individually.  The firm is stating the information stored in a user's data vault has not been compromised.

User reaction to the compromise clearly exhibits the sensitive nature of this hack.  User “Disturbed” wrote:

 “While you were honest, you were not competent to do the very thing I pay you to do, which is keep my passwords secret and safe. That is very hard for me, it makes trust difficult, and I am not certain there is a path forward where I continue to allow you to store my data. I understand that you do not believe the user vaults were explored, but last Thursday you believed no one could break in and take your data.... You did the right thing, you owned it, and for that, I might see the light, but on the other hand can I stake my professional future and my livelihood on it? I’m just not sure right now.” 

User Peter Birch wrote:

“...I think Last Pass have been very professional and forthright in explaining what has happened, what they are doing about it, and how it affects us.  I’m happy to continue my Premium subscription for such a good service!”

User Rob Allen indicates that perspective should be maintained:

“Disgruntled customers need to get off the grid...Our internet is under assault by nation state sponsored attacks. Every thing you do, every entry you make into a digital device, the Internet of everything you connect is vulnerable. The absolute best you can do is what happened here... You complainers are going to cause good companies to withdraw from announcing problems. This hurts everybody. By announcing what happened, other companies can respond on their peremiter [sic] defenses... No one connected to the Internet is safe from attack. Only with transparency in reporting will some measure of security be achieved.”

Rate this Article

Adoption
Style

BT