You know that I'm using LastPass as my password manager. It offers everything that I need and then some. One thing that I like about the service is that the company is dedicated and taking security seriously. A blog post at the LastPass blog entitled LastPass Security Notifications mentions that the company has noticed a network traffic anomaly on a non-critical server. The cause for the anomaly could not be identified. Further investigation revealed that traffic was sent from a database which could not be accounted for either.
Instead of sweeping that incident under the table, the developers decided to assume the worst case scenario: That an attacker managed to breach the security and download user data from the database. The traffic amount was large enough to include user emails, server salt and salted password hashes.
This data can be used by the attacker to brute force passwords which would then give access to a user's Last Pass vault with all stored passwords.
The company as a consequence asks its users to change their master password as a precautionary measure.
Some users may have received notifications to change their master password, or other notifications related to the incident (an error has been encountered while loading your sites lastpass). Only users who try to connect and log in with a new IP address, one that they have not been using in the past weeks, are asked to do that.
I did change my master password and I'm currently seeing an anomaly on all sites. The autofill username and password feature appears to be broken. Even a right-click and the selection of LastPass > Copy Username or Copy Password does not reveal any entries.
I could not find any information about this on the LastPass website or in the user comments. I suppose it is a temporary thing that will resolve automatically.
Last Pass are rebuilding the boxes and have moved services to other servers for now. They also compared the code on the live servers with code from their repositories to make sure it was not tampered with.
If you read through the comments you notice that the majority of users that comment have log in problems. Some because their browser appears to be detected as a mobile device which they cannot log in with.
I for one am happy that LastPass did communicate the issue right away with their users, unlike other companies that we know of (hust, Sony, hust). Yes, it may be inconvenient today to get things sorted out, but I prefer that to doing nothing.
If you like our content, and would like to help, please consider making a contribution: