LastPass Faces Unknown “network anomaly”, Forces Password Reset For All

LastPass logoI’m a huge fan of LastPass – it’s a great software for managing all your passwords. I was slightly surprised and concerned , when trying to login to LastPass account, I was greeted with a “Re-enable your LastPass account” page.

LastPass Activate Page

Upon verifying my email address, LastPass then proceeded with asking me to reset my master password. In a blog post, LastPass explained what happened:


Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

In this case, we couldn’t find that root cause. […] Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.

To counter that potential threat, we’re going to force everyone to change their master passwords.

While it is disconcerting that the data transferred is big enough to represent the email address & the salted password hashes, the fact that they have disclosed this and are forcing a password reset, rather than requesting people to change the password is solace.

On the bright(!) side of this, LastPass have mentioned that they will be introducing PBKDF2, a technique where a pseudo-random function is applied to the input password along with a salt( a 256-bit one, in LastPass’s case) repeatedly ( 100,000 in LastPass’s case) to produce a cryptographic key, which is then used to encrypt the password – as a deterrent to further reduce chances of brute-force attacks from being able to crack a password.

As of now, LastPass mentions that they don’t have enough data to thoroughly analyze what happened and the chosen attack method. They have, however clarified that the systems in question has been taken offline.

Published by

Sathya Bhat

Sathyajith aka "Sathya" or "cpg" loves working on computers, and actively participates in many online communities. Sathya is a Community Moderator on Super User, a collaboratively maintained Q&A site which is part of the Stack Exchange network. Sathya also contributes to and is a Super Moderator at Chip India Forums. While not writing SQL queries or coding in PL/SQL, Sathya is also a gamer, a Linux enthusiast, and maintains a blog on Linux & OpenSource. You can reach Sathya on twitter.