Welcome to the SecAware blog

I spy with my beady eye ...

6 May 2011

LastPass database compromised

Brian Krebs' excellent blog alerted me to a probable database compromise at LastPass.com

LastPass.com ("The last password you'll have to remember!") is an online database or vault for users' passwords and other confidential user information.  Naturally the user information is encrypted, using a 'master password' and a salt to generate the cryptographic key.  It appears that hackers may have broken the site's security to access and steal encrypted data from the database, possibly including the salts.  They are presumably hard at work brute-forcing those master passwords right now, so the race is on for users of LastPass to login and change their master passwords before the crackers access all their stored data - and then go on a rampage though users' accounts on other systems using the stored passwords.

This is exactly the kind of compromise that sites such as LastPass seek to avoid at all costs.  They do so through a process of examining their information security risks and mitigating them, normally through the use of information security controls such as database encryption, server hardening, application security, logging and alerting.  The compromise was initially spotted as a network traffic anomaly sounding the alarm on their network/security monitoring software.

LastPass, to their credit, have been quick to notify users about the breach and encourage them to change their master passwords ASAP.  Hopefully they will also have diagnosed and of course fixed whatever vulnerabilities were exploited by the hackers, otherwise they may just come back for another bite at the cherry.  LastPass customers are likely to be rather wary of continuing to use the service, but their options are limited - they could try remembering and managing all their passwords themselves (in the hope that they can do so more securely than LastPass) or they may be looking at other password vault options and trying to evaluate their security arrangements (not easy as companies are naturally reluctant to divulge all their security arrangements in public).

If you're interested, Google knows about loads of password vault options.  Unfortunately, it doesn't really know how secure they are. Given that you intend to store some of the most confidential information you have, consider your own risks carefully before proceeding.

Gary (Gary@isect.com)

No comments:

Post a Comment