Free password management program LastPass, a browser extension that manages passwords and automates form filling, has been subjected to an external attack which could see user email addresses, their server salt and salted password hashes stolen by attackers.
Posting on the company blog, the LastPass team explains that evidence of an attack was first noticed on Tuesday after the server logs were checked and anomalies identified and processed. Network traffic, over a period of a few minutes, spiked on one of the non-critical LastPass machines. Not able to identify the cause, the team noticed a similar traffic spike in the opposite direction, suggesting that the data on the machines was somehow accessed.
LastPass explains what it thinks might have been comprised:
We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.
Users with a “strong, non-dictionary based password or pass phrase” should not be affected, LastPass believes that to gain access to passwords, attackers will need to brute-force its user’s master passwords to gain access to user data.
LastPass urges all of its users to change their passwords to counter the threat and has brought into place an additional level of security to identify if the user is accessing the site from an IP address they have used before, also requiring email address to be validated.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.