Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Tuesday June 16 2015, @12:23AM   Printer-friendly
from the hunter2 dept.

LastPass, a password management service has informed its customers that its network was successfully targeted by hackers.

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.

Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.

SecurityWeek reports:

Rapid7 Security Engineering Manager Tod Beardsley said that he was pleased to see that LastPass disclosed the breach in a weekend's time. He added however that the attackers apparently have all they need to start brute-forcing master passwords.

"The fact that the attackers are now armed with a list of LastPass users by e-mail means that we may see some targeted phishing campaigns, presenting users with fake “Update your LastPass master password” links," said Beardsley. "So, while further direct communication from LastPass to their users about this breach should be welcome, it should be treated with suspicion if there are any embedded links and calls to action."

Additional reporting at The Register notes:

Some LastPass users weren't pleased with how they found out about the breach, either. In comments posted to the company's website on Monday, many expressed dismay that they learned of the incident via online reports on LifeHacker, Reddit, Twitter, and elsewhere, rather than via direct email from LastPass.

"What the hell guys?" one user who identified himself as "Ian" wrote. "I'm not annoyed that you got breached, I'm annoyed that as a paying customer, I found out about it via facebook."

Others complained of problems when trying to change their master passwords, or being locked out of their accounts after making the change.

Also, IT World reported:

The master password change is especially important for users with weak passwords, such as single dictionary words, who will be most at risk of having their passwords cracked. People who use their master password for other accounts should change the password for those other sites as well.

It’s not the first time that LastPass has been hacked. In 2011, the company also suffered a breach, though this attack is different because LastPass knew right away what was taken and has fortified the way it stores passwords in order to better protect against attackers cracking them.


Original Submission 1 Original Submission 2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Funny) by aristarchus on Tuesday June 16 2015, @02:43AM

    by aristarchus (2645) on Tuesday June 16 2015, @02:43AM (#196714) Journal

    My bank account is still only in my head.

    Hey, so is mine! Sometimes I wish it were in an actual bank, but at least they will never be able to crack the password!

    Starting Score:    1  point
    Moderation   +3  
       Funny=3, Total=3
    Extra 'Funny' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5