Password storage service LastPass has issued a statement saying a potential hack of their system (network traffic anomaly) may have revealed:
- User email addresses
- Hashed passwords
- Server Salt
That last one, as you know if you’ve been following me so far, is the big one as that provides enough information to Brute Force the Hashed Passwords. If the Master Password used by a user of LastPass is weak it will not take long to crack them. Significantly complex passwords will be much harder.
All of that is based on a data transfer from a database server that they cannot explain.
LastPass deserve credit for the response, which includes insisting all users change their password immediately and are identify themselves (previously used IP address or email verification). But security improvements that had already been identified but not applied are a significant issue here. The new security features sound good.
The blog entry is again interesting reading. Especially the potential ingress used.
It is worthy of not at this is a potential issue, not a verified one. It is a precautionary step by LastPass but the indicators would require this response. Also not that this is the second breach at LastPass recently.
Normal advise applies:
- Change the password ASAP
- If you used the same email or password elsewhere ensure you change that password.
- Change all account passwords stored in LastPass
- Check all activity on accounts you use LastPass for
– Posted using BlogPress