Last Pass: Overreaction or Compromised Database?

A company which stores user passwords in a virtual safe deposit box may have had its database compromised -- or it could be a lot of peopel overreacting.

Last Pass, which provides users with one password that stores all of their passwords on a server, says its database may have been hacked. The company reported a network traffic anomaly for a few minutes from one of its non-critical machines. After further research, Last Pass found a similar anomaly in one of its other databases in the opposite direction.

While typically this kind of anomaly is an employee or an automated script, the root cause may have been something more devious, Last Pass says. We're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed, the company wrote in its blog recently.

However before people went into hysterics, the company quickly noted that because of the size of the transfer, it is unlikely that a lot of data would have been taken.

We know roughly the amount of data transferred and that it's big enough to have transferred people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs, it said on the blog.

Still, the compromise, which Last Pass describe as a possible brute force attack, would be at least big enough to take people's usernames and encrypted passwords. It told people with dictionary passwords to change their master passwords, whereas people with complex passwords would be fine. In addition, it set up an email and IP authorization. This would make a brute force password stealing hack useless, because that person would need a user's email address and IP.

LastPass chief executive Joe Siegrist told PCWorld that the company's response may have been a bit over the top. He said it was unlikely that hackers have accessed any user passwords. However, the company wanted to take a worst case scenario approach with a major red flag.

In retrospect, we probably overthought this a bit and we're maybe too alarmist ourselves. The real message needs to be that if you have a strong master password, nothing that could have been done would have exposed your data. The only thing we're worried about is people that have weak ones. That's why we're making all these moves, Siegrist said to PCWorld.

Security firm DuoSecurity, however, was certain that LastPass was likely owned. In a blog post, DuoSecurity expert Jon Oberheide said if he were a user of LastPass, he would move forward with the assumption that it was indeed compromised and that the master password database was successfully exfiltrated. He said he found a line in LastPass' blog about its Asterisk phone server more open to UDP than it needed to be disturbing, because he says Asterisk doesn't have a great track record.

Oberheide recommended users go through their LastPass keychain and change their passwords for any websites that are important to them. If you want ensure you're safe, you should assume that the master password database and encrypted blobs were exfiltrated and that the attackers will be successful in cracking your master password, thereby recovering all the saved entries in your keychain. Better safe than sorry, Oberheide said.

Follow Gabriel Perna on Twitter at @GabrielSPerna