Free password management program LastPass, a browser extension that manages passwords and automates form filling, has been subjected to an external attack which could see user email addresses, their server salt and salted password hashes stolen by attackers.
Posting on the company blog, the LastPass team explains that evidence of an attack was first noticed on Tuesday after the server logs were checked and anomalies identified and processed. Network traffic, over a period of a few minutes, spiked on one of the non-critical LastPass machines. Not able to identify the cause, the team noticed a similar traffic spike in the opposite direction, suggesting that the data on the machines was somehow accessed.
LastPass explains what it thinks might have been comprised:
We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.
Users with a “strong, non-dictionary based password or pass phrase” should not be affected, LastPass believes that to gain access to passwords, attackers will need to brute-force its user’s master passwords to gain access to user data.
LastPass urges all of its users to change their passwords to counter the threat and has brought into place an additional level of security to identify if the user is accessing the site from an IP address they have used before, also requiring email address to be validated. The company believes this could fox potential attackers if the access masters passwords, as they would not have access to a user’s email account or IP address.
As a result of the compromise, LastPass is taking the opportunity to introduce extra encryption on its servers:
We’re also taking this as an opportunity to roll out something we’ve been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We’ll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we’ll continue to find ways to reduce how large a target we are.
The biggest problem LastPass has faced is identifying what happened. Its servers were more open than they needed to be and their log files do not give them much to go on. The company has made sure to rebuild its boxes, shut down and move services and verify the source code on its websites.
Unfortunately none of that will help if attackers are able to gain access to more than just a password. If you are a LastPass user, we recommend that you change your password immediately and frequently check the LastPass blog to await more information from the team.