Passwords at RiskBreach Suspected at Password Storage Provider LastPass
Noticing anomalies for which it couldn't account, online password management company LastPass is treating the situation as if it were a breach.
See Also: HIPAA Audits: A Revised Game Plan
"We're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed," LastPass said in a blog posting Wednesday. "We know roughly the amount of data transferred and that it's big enough to have transferred people's e-mail addresses. ... We also know that the amount of data taken isn't remotely enough to have pulled many users' encrypted data blobs."
LastPass, which provides cross-platform password storage for millions of users, is a password retrieval provider. LastPass uses master passwords to retrieve and collect passwords from other sites across the Web.
On Tuesday, LastPass picked up on some anomalies in traffic patterns, and that's what led to concerns about a breach. Now LastPass says it may have overreacted, but it wanted to play it safe.
According to the LastPass post, which has been updated several times, the anomalies in network traffic occurred on one non-critical machine. "These happen occasionally, and we typically identify them as an employee or an automated script," the blog post states. "After delving into the anomaly, we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction [more traffic was sent from the database compared to what was received on the server]."
Suzanne Matick, a spokeswoman for network forensics provider Solera Networks, says if LastPass has been breached, countless companies will be affected. "We are just watching at this point, as we have customers who work with LastPass," she says. "If they're data is breached, this will be huge."
If LastPass has been breached, it will mark the fourth major online hack in the last two months. From RSA, which had its SecurID multifactor authentication products breached, to Epsilon, whose e-mail databases were accessed by hackers, and Sony, which recently announced that distributed denial of service attacks on its PlayStation gaming network and Qriocity music service camouflaged simultaneous intrusions that exposed of personal identifiable information on tens of millions of customer accounts, corporate breaches are becoming nearly daily occurrences.
In this case, LastPass says the data that was transferred could have included e-mail addresses, as well as password hashes. "We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs," the blog post adds.
LastPass is forcing its users to change their master passwords, as a precautionary measure. "Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your e-mail address," the blog states.
With the IP validation, even if a hacker had a master password, LastPass could deny access, based on the IP address.
Just after 7 p.m. Thursday night, nearly 800 user comments had been posted to the blog.