People who prefer to store their numerous, ever-growing list of passwords in the cloud were in for a big surprise when LastPass revealed earlier in the week a possible security breach in its networks and asked users to reset their master passwords connecting to the site.
Many users got locked out not just from LastPass, an online password management provider, but from their myriad accounts such as gmail. LastPass CEO Joe Siegrist confirmed in an interview to PC World that the threat posed by hackers was less serious than initially thought. The service had asked users have to reset their passwords to avert possible data compromises.
Seriously dude, this is bad stuff. I'm locked out of ALL my different accounts, and it isn't accepting my lastpass master passphrase. I guess I learned my lesson here. There is no way in hell that I'm storing my important logins/passwords in the cloud again, one person commented on LastPass blog.
Earlier, LastPass had said the sheer load of password changes is slowing down the network. Reacting to users' angst over the password issue, the service said it was changing tactic and offered to help out users. A post on the blog said the following: We're switching tactics -- if you've made the password change already we'll handle you normally. If you haven't the vast majority of you will be logged in using 'offline' mode so you can still use LastPass like normal and get back to your day, only syncing of new password should suffer (and you'll see the bar).
Users reacted to the LastPass blog post airing questions, hesitations, and a sense of worry. Another person had this to say: Quick question; lastpass seems to be unusable until I change my master password, but I can't login to gmail without lastpass giving me my gmail password. So how do I reset my lastpass master password if I can't login to my email?
Yet another comment reflected more severe foreboding: This is very disturbing. Whilst it may well be overkill and paranoia, the fact that attempts and anomalies are being logged doesn't make one confident in storing their data with LP.
LastPass is a password manager and form filler that works with all platforms, and smart phones. The company says it makes browsing the web easier and more secure.
LastPass said it detected on Tuesday morning a network traffic anomaly in one of its non-critical machines. Alarm bells rang as it could not immediately find the root cause. Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed, the blog post had said. The company said the amount of data transferred was big enough to have transferred people's email addresses, the server salt and their salted password hashes from the database.
To counter that potential threat, we're going to force everyone to change their master passwords, the blog said.
However, according to it, users with a strong, non-dictionary based password or pass phrase were unlikely to be affected.
In an exclusive interview to PC World, CEO Siegrist said the threat did not look severe and he may have been too alarmist in initial response. But he advised caution. We're trying to look at what is the worst possible case and how we can mitigate any risks coming out of that. Could this be just some kind of weird glitch? It could. But we haven't had any of those before, and we've been watching this a long time.
He explained how possibly a massive data breach could unfold. You can combine the user's e-mail, a guess on their master password, and the salt and do various rounds of one-way mathematics against it. When you do all of that, what you're potentially left with is the ability to see from that data whether a guess on a master password is correct without having to hit our servers directly through the website.
Siegrist cautioned that once that once a hacker has this process, they can start running it relatively quickly, checking thousands of possible passwords per second.