The password management service LastPass recently announced that suspicious activity was “discovered and blocked” on its network on June 12, 2015.
While no LastPass user accounts were accessed and no encrypted user data (stored passwords) was stolen, the company’s investigation has determined that LastPass account email addresses, password reminders, server per user salts and authentication hashes were compromised.
“We are confident that our encryption measures are sufficient to protect the vast majority of users,” company co-founder and CEO Joe Siegrist wrote in a blog post. “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”
Still, the company is requiring that all users who log in from a new device or IP address first verify their account by email, unless they have multifactor authentication enabled.
All users are also being notified by email, and will be prompted to change their master passwords. Users who may have reused their LastPass master passwords on other sites are being advised to change those passwords immediately.
“Security and privacy are our top concerns here at LastPass,” Siegrist wrote. “Over the years, we have been and continue to be dedicated to transparency and proactive measures to protect our users. In addition to the above steps, we’re working with the authorities and security forensic experts.”
Rapid7 security engineering manager Tod Beardsley told eSecurity Planet by email that the speed with which LastPass disclosed the breach — three days — is a good sign. “I’m very happy to see that they’re forthcoming in a matter of a weekend’s time that something happened at LastPass HQ, and I’m sure as they work through their incident response procedures, LastPass users will get a more detailed picture of what was compromised and what LastPass is doing about it,” he said.
Still, Beardsley said, the notification makes it clear that the attackers have all they need to start brute-forcing master passwords. “So far, the attackers do not seem to have access to the passwords encrypted with that master password,” he said. “They incidentally have a list of LastPass users by e-mail address.”
“The fact that the attackers are now armed with a list of LastPass users by e-mail means that we may see some targeted phishing campaigns, presenting users with fake ‘Update your LastPass master password’ links,” Beardsley added. “So, while further direct communication from LastPass to their users about this breach should be welcome, it should be treated with suspicion if there are any embedded links and calls to action.”
And Authentify vice president John Zurawski said by email that requiring multi-factor authentication would be a smart next step for the company. “They offer their end users more than half a dozen forms of multi-factor authentication options, but they are just that — options,” he said. “Most end users are not security professionals. They won’t automatically choose extra security because they don’t understand the danger at a deep enough level. Stronger multi-factor authentication should be a requisite.”