Password Manager Service LastPass Investigating Possible Database Breach

  /     /     /  
Publicated : 22/11/2024   Category : security


Password Manager Service LastPass Investigating Possible Database Breach


Users must change master passwords -- but not all right now



The last password youll ever need now requires a reset: LastPass is forcing users of the password manager service to change the single master password they created for accessing websites, virtual private networks, and Web mail accounts via the tool. The move comes in response to the companys discovery of unusual network activity around one of its databases.
LastPass says it detected a network traffic anomaly in a noncritical server that led to the discovery of a similar problem with its database that houses email addresses and salted password hashes: More traffic was going out of the server than was going in.
Because we cant account for this anomaly either, were going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transferred and that its big enough to have transferred peoples email addresses, the server salt, and their salted password hashes from the database. We also know that the amount of data taken isnt remotely enough to have pulled many users encrypted data blobs, LastPass said in its company blog.
Joe Siegrist, CEO of LastPass, told
Dark Reading
that this doesnt appear to be the result of a SQL injection attack because there arent any large or suspicious Web requests in the Web logs.
We dont know details. We know that there was traffic we cant account for, so were taking a worst possible scenario view, which we think is appropriate, Siegrist says. We are not emailing users. We lock them out if theyre not coming from a known IP, and then redirecting [them] to a URL explaining [why].
Users with strong passwords that are not dictionary-based should be safe: The biggest threat is an attacker brute-force hacking master passwords and then using that to get to users data, according to LastPass. But erring on the side of caution, the company is forcing all users to change master passwords, and is also checking IPs and validating emails to ensure the users are who they say are, just in case.
But the password-changing traffic ended up overwhelming LastPass today traffic-wise, so not all users have to change their master passwords right away. Were overloaded handling support and the sheer load of password changes is slowing us down. Weve implemented a way for you to verify your email and then not be immediately forced to change your password for that IP, access from any other IP would bring you back to email verification. You can now wait a few days if you know youll be on the same IP without loss of security, and due to this overloading we think thats prudent to wait, the company said in a blog post update a few minutes ago. Were asking if youre not being asked to change your password then hold off -- were protecting everyone.
One security expert says the biggest concern would be if attackers indeed got to this database, that they could then get the plain-text passwords and pose as the user to gain access to the users email accounts or online banking accounts. Resetting the master password is a good thing because [the attacker] couldnt use it anymore, but all of the individual passwords could be utilized for them to log into the users Web-based accounts, says Jeremy Conway, senior security researcher and product manager at NitroSecurity.
Im assuming the master password gets you into the system, and LastPass generates individual, unique strong passwords to all of the [users] individual services. If you can crack all of the passwords from the database server and just use them to log into your email or VPN ... I assume [an attacker] could still use those, and those services wouldnt know it wasnt the actual user logging in, Conway says.
Even if LastPass regenerates everything, you have the individual services depending on those [initial] usernames and passwords, he says. The user himself would theoretically then have to reset all of them individually, he says.
But LastPass Siegrist says given the amount of data his firm saw being siphoned out of its database, only a limited number of users are at risk of this. We know the scale of data transferred, and it would only be a few hundred peoples data that could be accessed that way, and even then only if they utilized a brute-forceable password.
If we put ourselves in the attackers shoes, wed go after everyones hashes, salts, and attack them that way, as its more likely with more people to find someone not using a strong one, he says.
LastPass
said in its blog post
that its Asterisk phone server was overly accessible via UDP, but there was no sign of tampering there or of an attacker gaining administrative access to the database. Its source code and plug-ins appear to be intact also, and theres no sign of database-tampering. Were rebuilding the boxes in question and have shut down and moved services from them in the meantime, according to the companys blog.
Meanwhile, Siegrist says the company plans to deploy a higher-end IPS and enlist an external firm to help with the investigation into what really happened. The company also is rolling out SHA-256 encryption on the server.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Password Manager Service LastPass Investigating Possible Database Breach