LastPass, which hails itself as providing “the last password you’ll have to remember,” is an extension that works on all browsers, smartphones and operating systems. It fills in saved logins and forms with the click of a button and syncs personal data to any computer you use.
LastPass stated in a company blog that it noticed a network traffic anomaly on a noncritical server. Workers delved into the anomaly but couldn’t find the root cause. Then they noticed that traffic was sent in the opposite direction from another unaccountable database. “Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed.”
What LastPass does know about this problem is “roughly” the amount of data transferred and that “it’s big enough to have transferred people’s e-mail addresses, the server salt and their salted password hashes from the database,” but the amount isn’t big enough to have pulled “many users encrypted data blobs.” (Note the usage of the word many — that could mean the loss of some encrypted data blobs.)
Not only is the LastPass team forcing its users to change their master passwords, they’re also verifying identities by double-checking that an individual’s access is coming from IP blocks that have been used before or by authenticating e-mail addresses.
Though the scope of the potential data loss is unknown at the moment, LastPass, which was hailed as one of PCWorld’s 100 best products of 2009, is using this incident as an opportunity to unveil a new layer of security it has been working on: PBKDF2 (Password-Based Key Derivation Function) using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds.
With so much fraud and theft online today — the most prominent recent example being the huge Sony hack that exposed personal data from 77 million Sony PlayStation Network customers — it’s heartening to see that LastPass is being so “paranoid” and taking this matter seriously.