Cloud Based Password Manager LastPass Hacked?

6 05 2011

LastPass is a cloud based password manager supported by many browsers. The service is claimed as the “Last Password You’ll Ever Need”. However, reports are going around the web about LastPass having a security breach.

According to the LastPass Blog, they noticed a particular abnormality which could be potential threat. As a precaution, users are forced to change their master passwords.

LastPass Blog:

To counter that potential threat, we’re going to force everyone to change their master passwords. Additionally, we’re going to want an indication that you’re you, by either ensuring that you’re coming from an IP block you’ve used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn’t give access to this theoretical attacker because they wouldn’t have access to your email account or your IP.

Currently, the traffic to LastPass is overwhelming enough due to users changing passwords. If you have a LastPass account, I’d highly suggest trying to get yours changed as soon as possible. Despite being a threat or not,  these are YOUR passwords.

Password Strength

Create a strong password. Some websites have a security level indicator when creating an account. Especially make your LastPass Master Password different than the rest.

Update from LastPass at 4:30pm EST

For those who haven’t been prompted, and have continued to use LastPass without issue — we’ve judged the risk to be low if you’re using the same IP — we’re only raising the issue once that changes.

Finally if you have issues with password changes please email us at, we can revert you, or we can pull data from backups, but please try LastPass Icon -> Clear local cache first.

PCWorld followup with LastPass CEO at 8pm EST

PCW: What steps are you recommending users take now?

Siegrist: If you used a strong master password, even if anything had been taken, there shouldn’t be any cause for concern. If you used a weak master password, there might be a little more risk, but it’s kind of a one in a million kind of a risk based on the total amount of data that was transferred. If you used a weak master password, it’s probably wise now to replace it with a strong one and look at your most critical sites–your banking, your e-mail–and think about changing those.

With the Amazon crash a short time ago,  there’s some irony that LastPass is running into an obstacle. What does this mean for cloud based services?




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: