bit-tech.net

LastPass user panic over possible server breach

LastPass user panic over possible server breach

Popular password manager Last Pass has taken action against a possible security breach.

Popular password manager LastPass took action against a possible security breach late last week, forcing many users to change their master passwords.

In a statement on the team's blog, LastPass said an anomaly was spotted in its data logs that it was unable to explain. It immediately took the stance that the anomaly pointed to something malicious, saying: 'we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed.'

According to the statement, the amount of data that could have been accessed was small, and the breach wouldn't affect users with strong, non-dictionary based passwords or pass phrases.

LastPass initially forced some users to change their passwords, but its servers struggled under the deluge of password change requests as the news of the possible breach spread, forcing the company to disable password changing until its servers caught up.

In a later update, LastPass said that most users that continued to access the service from the same IP address were unaffected. According to the latest update in the blog over the weekend, password changing has now been restored to all users. However, the company advises that there's 'no need to panic', as 'all accounts were put into a locked down mode of only allowing previous login locations or verify via email, until password change.'

LastPass has over 50,000 downloads per week for Firefox alone, and supports all major platforms and smartphones.

Do you use a password manager, or do you limit the amount of important information you store online to a minimum? Let us know in the forums.

27 Comments

Discuss in the forums Reply
mclean007 9th May 2011, 11:31 Quote
I use a password manager. It's called my brain and I keep all my passwords there. Of course that's not too hard when my password is "PASSWORD" for every site I use.

For anyone who missed the sarcasm above, just for the record I was kidding :D
SlowMotionSuicide 9th May 2011, 11:35 Quote
TBH honest all these security breaches lately has made me a bit hopeless. Only few weeks ago I received e-mail from Play.com their account security had been breached. Then the PSN episode, and now this.

What should a honest consumer do, set up a fake ID for every online purchase since no one seem to be able to keep crackers at bay? I'm kinda tired of continuous credit card reroll.
Kiytan 9th May 2011, 11:37 Quote
seems everywhere is getting hacked recently. At least they dealt with it in a proper way though, unlike sony.
Dr_Frankenstein 9th May 2011, 13:11 Quote
I wouldn't store any passwords online, keep a locally encrypted version if you cant remember them all, I use 'keepass'
Zurechial 9th May 2011, 14:06 Quote
Quote:
Originally Posted by Dr_Frankenstein
I wouldn't store any passwords online, keep a locally encrypted version if you cant remember them all, I use 'keepass'

This.

I would never trust an online password storage service. Locally-stored secure Keepass databases are a much better idea I think.
Mechh69 9th May 2011, 14:12 Quote
I use a spread sheet that is secured within True Crypt. Hack that one.
radziecki 9th May 2011, 14:15 Quote
Guys, two tips:
a) Use top-up electronic-use-only cards and not your regular credit/debit card. You only fill up the account when you need to purchase something.
b) DO NOT store any card data online, if possible. Use software like PasswordSafe to keep the crucial data handy at all times.

Worked for me for last couple of years...
Lowsidex2 9th May 2011, 14:46 Quote
Pen and paper is my password storage system. I'm infinitely less worried about someone breaking into my home and happening across my cheat sheet than I am about someone hacking a distant server or even my local machine with that file labeled 'passwords'.
SlowMotionSuicide 9th May 2011, 14:51 Quote
Good tips, but unfortunately not always applicable.

a)I'm not sure what you mean with "top-up electronic-use-only" card, but if I'd have to hazard a guess these mean cards like Visa Electron, right? Not too many site accept one.

Finnish banks do not offer virtual credit cards, either.

b)Again, not always possible. For example, Play.com requires you to register before making a purchase, and they insist on storing credit card data. After the hacking incident, I tried to remove my cc number bind to my account, to no avail. Can't unsubscribe from their mailing list, either. Serves me right I guess.

I'm using unique passwords for each account I have, but it really pisses me off that companies require me giving away personal info and then not bother to protect it properly. I'm not really happy with criminals in possession of my physical and email address, phone number etc.
tad2008 9th May 2011, 15:26 Quote
Quote:
Originally Posted by SlowMotionSuicide
Good tips, but unfortunately not always applicable.

a)I'm not sure what you mean with "top-up electronic-use-only" card, but if I'd have to hazard a guess these mean cards like Visa Electron, right? Not too many site accept one.

Finnish banks do not offer virtual credit cards, either.

Can't speak for our European cousins, but here in the UK I believe both Visa and Mastercard that I know of offer a kind of pre-paid debit card where you basically put credit on the card and then can use this securely for online purchases as you would a normal debit card.

Just done a quick check for those that might benefit:

VISA
http://visa.co.uk/en/products/visa_prepaid.aspx

MASTERCARD
http://www.mastercard.com/uk/personal/en/findacard/prepaidnew/index.html
MrWillyWonka 9th May 2011, 15:32 Quote
Quote:
Originally Posted by SlowMotionSuicide
Good tips, but unfortunately not always applicable.

a)I'm not sure what you mean with "top-up electronic-use-only" card, but if I'd have to hazard a guess these mean cards like Visa Electron, right? Not too many site accept one.

Finnish banks do not offer virtual credit cards, either.

b)Again, not always possible. For example, Play.com requires you to register before making a purchase, and they insist on storing credit card data. After the hacking incident, I tried to remove my cc number bind to my account, to no avail. Can't unsubscribe from their mailing list, either. Serves me right I guess.

I'm using unique passwords for each account I have, but it really pisses me off that companies require me giving away personal info and then not bother to protect it properly. I'm not really happy with criminals in possession of my physical and email address, phone number etc.

What radziecki meant was a top-up cashcard, basically it's a top up card that you can buy in the shops and top up whilst in the shop, and useable online as it is a Visa debit card. A bit of a hassle to do but it is one of the safest ways to buy stuff online.

EDIT: What ^^^ said!
SlowMotionSuicide 9th May 2011, 15:37 Quote
No such thing available here, though.

I did a check for both my Visa and Mastercard.

Well, there propably will be option for those now that hacking service providers and e-shops have become almost everyday occurence. Even my bank felt necessary to notify me on PSN issue, though no fraud has taken place, yet.
l3v1ck 9th May 2011, 15:38 Quote
Quote:
Originally Posted by mclean007
I use a password manager. It's called my brain and I keep all my passwords there.
+1
thehippoz 9th May 2011, 15:47 Quote
Quote:
Originally Posted by mclean007
I use a password manager. It's called my brain and I keep all my passwords there.

waterboarding
PureSilver 9th May 2011, 15:58 Quote
This is not really the whole story - even if someone has hacked LastPass's databanks and grabbed files, they are of no use unless they can be cracked individually. LastPass don't store any of your data unencrypted - in fact, it's not possible for them to do so, and if you lose your LastPass password you're basically f***** because they've no way of retrieving it. So, for this to be a security issue:
  1. LastPass' servers have to have been hacked. There's no evidence this has actually occurred - there's a system anomaly and LastPass are being paranoid about it because that's what we pay them to do.
  2. LastPass users' data has to have been copied. Again, no evidence this has occurred.
  3. The users' encrypted data has to be individually cracked, by brute force. My password is >15 characters long, containing upper- and lower- case letters, numbers, and symbols, in randomly generated order. That's 96 possibilities for each of the 15+ characters = 5.20402924666473e+31 combinations - a number equivalent to 52,040,292,466,647,300,000,000,000,000,000 potential passwords, or one order of magnitude over a nonillion. Cracking it by brute force using an i7 920 or similar would take quite literally tens of thousands of years.

Me? I'm not worried in the slightest. In addition to my password, my LastPass is encrypted using their Grid Multifactor Authentication system, which adds the complexity of a unique 26x9 code grid to any computer I haven't personally approved. I haven't done the maths on that too but it is another hurdle to the theoretical hackers getting my Facebook password.

Using LastPass means I can use different 15-character alphanumerosymbolic passwords for everything I use - so compromise of any one won't affect the others. Since even I don't know them, it's very difficult for them to be compromised. As far as I can see, you're much more likely to be in trouble by entrusting your data to people that aren't LastPass, like, er, PSN...
sotu1 9th May 2011, 16:21 Quote
PEN AND PAPER. Honestly it actually works sometimes!
bobwya 9th May 2011, 17:10 Quote
My advice is to simply let E-Merchants store all your credit card details online. However then ensure that all your credit cards are maxed out (to their respective limits). E viola - no E-fraud!
shanky887614 9th May 2011, 17:33 Quote
guys or there is a quick cheat, create a new account with same person as main account, make sure its debit only and dosnt allow over draws or credit, then just swap money to it before buying online, thats my way of dealing with it

what can a hacker do with a bank account with £1 in it
Salty Wagyu 9th May 2011, 17:44 Quote
Keepass is way less convenient though, as I frequent a lot of sites that log you out automatically as the session expires (Amazon for example). Having to c+p all the time gets tedious, and I've been there.
radziecki 9th May 2011, 21:13 Quote
ok what we have here in Poland in couple of banks is so-called "virtual card", issued by Visa or Mastercard. It works only online, it doesn't have a magnetic strip, or even CCV code imprinted - you get it in an envelope. To use it, you have to make a transfer to a sub-account associated with it. It's not Visa Electron or Matestro - it's a "full" Visa, accepted everywhere - at least I didn't have any trouble with it...
John_T 9th May 2011, 21:30 Quote
Quote:
Originally Posted by Lowsidex2
Pen and paper is my password storage system. I'm infinitely less worried about someone breaking into my home and happening across my cheat sheet than I am about someone hacking a distant server or even my local machine with that file labelled 'passwords'.
Quote:
Originally Posted by sotu1
PEN AND PAPER. Honestly it actually works sometimes!

Those.

I have passwords written down and I type them in manually each time I need them. Sites I use regularly I learn to remember the password over time, sites I use infrequently I look up. Seriously, how much of a chore is it to type out a (usually) 8-14 character password?

Also, all those people who refuse to pay by credit cards, I understand the point, but if you're in the UK then you're missing out on your Section 75 protection. (This is not the same thing as PPI by the way).

Section 75 is a law which states that the credit card provider is jointly liable with the seller for delivery of goods between £100 - £30,000, so if you pay for something which then doesn't arrive, (the business goes belly up for example) you can claim all your money back from your credit card company.

Pretty useful if you're ordering a £2,000 PC...

And that's without the fact that most banks rarely hold the customer liable for fraud when they can prove it wasn't them who was responsible, and that many banks and credit cards offer special online protection and guarantees anyway.

In many circumstances, most British people are better off using credit cards online than not using them.
knuck 10th May 2011, 02:18 Quote
I'm not worried at all
alf- 10th May 2011, 03:53 Quote
i use a password manager for sites that don't really matter, and by that i mean sites that don't contain any information i really care about (credit information etc).

i'm more than willing to risk using a password manager for sites like facebook, as it they do not contain important information.

as internet banking and paypal, that's a different story, much stronger passwords which i only store on paper in my house.
slothy89 10th May 2011, 05:05 Quote
It's not that hard to memorise 12+ character passwords.. I work in network admin, and every server, device and admin account has a different 14-16 character password w/ alpha, numerical and symbol characters.
I remember a good 20 of them just out of habit, and that's before you count my personal passwords which are 100% random chars.
You don't need to use your dogs name + DoB to be able to memorise passwords... Sheesh.
The_Beast 10th May 2011, 05:28 Quote
Quote:
Originally Posted by Dr_Frankenstein
I wouldn't store any passwords online, keep a locally encrypted version if you cant remember them all, I use 'keepass'

+2

I use the same password for sites I don't really care if they get hacked, forums.... but I use keepass for sites I do care about, online stores, banking......
GravitySmacked 10th May 2011, 07:48 Quote
I use LastPass with a very strong master password, I've changed anyway..
proxess 10th May 2011, 09:14 Quote
Portugal has a global top-up system for all banks called MBNet, it generates a temporary visa with the value you decide, never putting your real card at risk.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums