Earlier this week, I noticed errors from LastPass when I fired up my browser and was unable to log in manually with my normal master password. I didn’t pay much attention to this at first since the email address I used to log in was one I shut down recently. I figured that was the reason and made a mental note to go change it later. But, when I tried to log in to LastPass to change my account settings (using a one-time password that I had previously created), I got a notice saying that the LastPass servers were overloaded and that I should try again later. That’s when I began to take a deeper look and discovered what others already knew: LastPass had noticed an “anomaly” in their network traffic and as a precaution had begun to force users to change their master passwords.
According to LastPass’s blog, May 4th, 2011, here’s what happened:
LastPass Security Notification
We noticed an issue yesterday and wanted to alert you to it. As a precaution, we’re also forcing you to change your master password.
We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.
In this case, we couldn’t find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.
LastPass posted ongoing updates to the situation as it developed. The second update explained why I couldn’t get in properly.
Update 2, 2:15pm EST:
Record traffic, plus a rush of people to make password changes is more than we can currently handle.
We’re switching tactics — if you’ve made the password change already we’ll handle you normally.If you haven’t the vast majority of you will be logged in using ‘offline’ mode so you can still use LastPass like normal and get back to your day, only syncing of new password should suffer (and you’ll see the bar).
As it stands right now, I was able to log in with my original master password (which is very strong) and make account change settings, so everything seems to be back to normal. As of 9 am 5/7/2011, this the posted status on the blog:
Update 8, ~9am 05/07 EST:We enabled password change to greater percentages overnight and now to all users. Again please note that there is no need to panic, all accounts were put into a locked down mode of only allowing previous login locations or verify via email, until password change.We’re asking any users that have current issues with a password change to contact us — we will restore you from backups. Many have been people forgetting what password they changed to so make sure you practice that new password a number of times after you change it.We appreciate your patience, we’ll continue to update with any changes.
So, back to normal it seems. And even though LastPass’s response over a mere “oddity” caused some major inconvenience for many of its users, I am even more confident in their security than I was before. Think about it. They saw something odd in their network traffic that they couldn’t explain. They saw a risk that sensitive information was getting into the wrong hands and they immediately took action, keeping users updated with detailed information about what they were doing and why and told users what to do about it.
Kudos to LastPass for being a good example of how to do security the right way.