While I was stuck in the airport in Zurich on Monday it appears that the folks at Lastpass was having a far worse day. It seems somewhat fitting that a data breach like this would surface while I’m attending the FIRST incident responders conference in Berlin this week. The password management makers, Lastpass, announced on Monday June 15th that they had become an unwilling addition to the long list of companies that have suffered from a data breach.
On Friday June 12th the company discovered what they referred to as “suspicious activity” on their network. This activity resulted in the exposure of a user email addresses, password reminders salts and authentication hashes. Ouch. They did point out that there did not seem to be any attempts made to access user accounts themselves. No mention was made however as to when this suspicious traffic first began on the Lastpass network.
For those of you who might not be aware, Lastpass is a password management application the provides a central repository for you to store and manage all of you passwords. It also allows for a simplified method to login to your websites that require authentication. This is a handy application as are their competition like 1Password and Keepass but, if compromised can be a source of much consternation.
Last pass noted that no encrypted data had been taken as a result of this data breach.
We are confident that our encryption measures are sufficient to protect the vast majority of users. Lastpass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
Now, while this data breach is unfortunate there is some good news to point out. This is in fact rather impressive from the perspective of breach notification. Think about this for a moment. They noticed that there was suspect traffic on their network on Friday and by Monday they had managed to alert the community at large? You can sit there and throw stones at glass houses all day long but, it is still impressive from the perspective of a turnaround from breach detection to notification.
Admittedly I would be far more amenable to their situation had this not happened before. In 2011 they suffered a similar breach. At that time the company asked customers to change their passwords and unfortunately this had some negative results. At the time they said this, "We’re overloaded handling support and the sheer load of password changes is slowing us down. We’ve implemented a way for you to verify your email and then not be immediately forced to change your password for that IP, access from any other IP would bring you back to email verification. You can now wait a few days if you know you’ll be on the same IP without loss of security, and due to this overloading we think that’s prudent to wait." Hopefully, they learned from this scale issue.
I’ve always been a proponent of password management applications but, while I’m not a user of Lastpass this does highlight, yet again, the fact that no solution will provide 100 percent security. I have been known to be guilty of not rotating the master password on my password manager frequently. This should provide people with a kick to go check on the last time they updated theirs.
Last pass indicated that they are working with authorities and security forensic experts. No mention as to who that might be I noticed. Lastpass will be emailing their customers directly in addition to their notification being posted. They will be prompting users who have not already done so to change their master password.
While this is an unfortunate breach it should be pointed out that this really doesn’t mean that you should throw the baby out with the bath water. Using a tool like a password manager is still a far better idea than affixing post-it notes to your monitor.