May 4, 2011

LastPass Security Notification

Update 10, May 16th, 3:20pm EST - Final update to this post, we'll make new posts going forward

Actions we've taken:
  • Multiple security experts and firms were brought in to help us, we've engaged one firm to do a further source code based review.
  • We're committed to doing several reviews per year and sharing the results of these reviews.
  • We've had some useful suggestions from the community -- we appreciate your input: https://lastpass.com/support_security.php
  • One example: to reduce the chance of phishing Iastpass.com was registered -- that's a capital i instead of an L. We've also purchased 1astpass.com
  • All non-core services have been completely removed from the LastPass network; LastPass now runs the web application and DNS servers only.
  • Forums, Helpdesk, etc are run offsite on 3rd party servers.
  • We're looking into moving our support tickets off our network too.
  • Amazon was utilized to send out the email notification; we're better able to send large amounts of email quickly in the future, and thank Amazon for working to spin us up quickly.
  • We've commissioned a write only off-site aggregated log server which can only be accessed via the console. This will allow us a guarantee that any logging is intact.

The good:
  • We were prepared to both disable accounts and force people through password changes, which was something we had planned for.
  • The steps we took protected all users, even those who used weak master passwords.
  • Having a live backup system proved invaluable for people who ran into issues, or forgot their new master password after changing it.

We made a number of tactical errors including:
  • Out of the gate, we inconvenienced a large number of people who knew their password were strong and therefore never could have been at any risk.
  • Massively underestimating the amount of media attention we'd receive. This had 2 effects: 1. Greatly increased the number of users attempting to change their passwords -- our plan was for people coming from new computers which is a small percentage of the overall user base per day that we could have handled; 2. Drove a big increase in new users as people interested in LastPass attempted to check us out.
  • We didn't have any previous IP tracking data on previously used computers for people without login tracking. This caused nearly all these people to face password change immediately.
  • We moved too slowly to shut down password changing once the system was under stress.
  • We weren't prepared to send large amounts of email quickly, especially after turning off a server. (Resolved going forward w/ Amazon)
  • Some of our customers were unfamiliar with logging into LastPass in offline mode, panicing a number of them.
  • Blogger (who we use for blog.lastpass.com) had some downtime through the event.

Additional changes coming:
  • Our next release will make it clear how to login offline from the login dialog.
  • We've purchased a large amount of additional server capacity so we can handle extreme load events better in the future.
  • We'll be utilizing the 'from a new location' capability in a few new security features.

Update 9, ~11am 05/09 EST:

Many users are changing their password and then determining they can't remember it, a number have also run into issues with password changes and want to go back, you can now do this yourself without contacting us: https://lastpass.com/revert


Update 8, ~9am 05/07 EST:

We enabled password change to greater percentages overnight and now to all users. Again please note that there is no need to panic, all accounts were put into a locked down mode of only allowing previous login locations or verify via email, until password change.

We're asking any users that have current issues with a password change to use https://lastpass.com/revert to restore you from backups. Many have been people forgetting what password they changed to so make sure you practice that new password a number of times after you change it.

We appreciate your patience, we'll continue to update with any changes.

Update 7, ~6pm 05/06 EST:

Everyone should be able to login (after verifying your email if you are coming from a new IP). We've begun allowing all premium users and a percentage of users to go through password change.

Please note that there is no risk in waiting if you can deal with verifying by email when you use a computer at a new place (IP).

If you experienced an issue with a password change and want to be restored from backups we can do that too and will provide a URL to do it shortly.

Update 6, ~10:30am 05/06 EST:

If you have been experiencing an error contacting the server, please try logging in both via the plugin and the website - you should now gain online access. If you still see an error, please open a support ticket or email support@lastpass.com, if you haven't already done so.

Currently we're not allowing users to change master passwords until our databases are completely caught up and we have resolved outstanding issues. We will update our users via the blog when it is possible to do so.

Thank you for your continued patience.

Update 5, ~1:30am 05/06 EST:

We've added the option for you to say that you know your master password is strong and to avoid password change, we apologize for not having that available when we announced.

We've identified an issue with roughly .5% of users that impacted their master password change, and will be contacting you tomorrow rolling you back to before the change.

Our focus right now is on ensuring we can resolve users with issues, we'll continue to provide updates here.

Update 4, ~10pm EST:

Joe's interview with PCWorld covers more details on what happened, what our thought process has been, and what this means for our users: http://www.pcworld.com/article/227268/exclusive_lastpass_ceo_explains_possible_hack.html.

We continue to work as quickly as possible to address user support.

Update 3, ~4:30pm EST:


Logging in offline should be working everywhere if you have logged in using that client before, if you're having problems with this please attempt to login via the website: https://lastpass.com/?ac=1 that should now take you through an email process to enable your current IP.

If you're having problems getting your data with pocket, make sure you're selecting to login to the local file, not logging in at LastPass.com.

If you changed your password and are now having problems we'll help with that too, please email us if that's the case and include your LastPass email address.

For those who haven't been prompted, and have continued to use LastPass without issue -- we've judged the risk to be low if you're using the same IP -- we're only raising the issue once that changes.

Finally if you have issues with password changes please email us at support@lastpass.com, we can revert you, or we can pull data from backups, but please try LastPass Icon -> Clear local cache first.

Update 2, 2:15pm EST:

Record traffic, plus a rush of people to make password changes is more than we can currently handle.

We're switching tactics -- if you've made the password change already we'll handle you normally.
If you haven't the vast majority of you will be logged in using 'offline' mode so you can still use LastPass like normal and get back to your day, only syncing of new password should suffer (and you'll see the bar).

As load lowers we'll increase the percentage of people being sent through email validation / password changing.

For people experience problems please email us at support@lastpass.com -- we have seen a few reports of bogus data post change, we think this is due to you downloading a stale copy and if you go to LastPass Icon -> Clear Local Cache and try again it should work.

You can access your data via LastPass in offline mode or by downloading LastPass Pocket : https://lastpass.com/misc_download.php (choose your OS).

---

We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.

We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.

If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.

To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.

We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.

We're also taking this as an opportunity to roll out something we've been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We'll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we'll continue to find ways to reduce how large a target we are.

For those of you who are curious: we don't have very much data indicating what potentially happened and what attack vector could have been used and are continuing to investigate it. We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on.

We don't have a lot that indicates an issue occurred but it's prudent to assume where there's smoke there could be fire. We're rebuilding the boxes in question and have shut down and moved services from them in the meantime. The source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself.

Again, we apologize for the inconvenience caused and will continue to take every precaution in protecting user data.

The LastPass Team.


Update 1:

We're overloaded handling support and the sheer load of password changes is slowing us down. We've implemented a way for you to verify your email and then not be immediately forced to change your password for that IP, access from any other IP would bring you back to email verification. You can now wait a few days if you know you'll be on the same IP without loss of security, and due to this overloading we think that's prudent to wait.

We're asking if you're not being asked to change your password then hold off -- we're protecting everyone.

1,485 comments:

  1. Hello

    I am getting "Your settings could not be updated" error after trying to reset the master password. I believe other users have encountered same issue.

    Please fix this and add a comment for the same in the blog.

    Thanks

    ReplyDelete
  2. This is yet another "Your settings could not be updated" bug report. Fix it ASAP! Please.

    ReplyDelete
  3. I may or may not be coming from a known IP address (I don't remember if I've logged in from this machine / location before), but when logging into my vault at LastPass.com, I definitely was not prompted or forced to change my master password. And in Settings it looked like I could change my master password without further IP or email address authentication.

    Finally, I agree with many others that an email is past due. Like others, I found out about this from Twitter, and it wasn't even LastPass' Twitter feed.

    LastPass, while I appreciate the security efforts and quasi-notification above so far, the burden remains on you to regain our trust and preserve your loyal user base.

    ReplyDelete
  4. "Your settings could not be updated. Please retry later. error"

    Same error in IE, FF, & Safari. I've have got nothing done today because of this.

    ReplyDelete
  5. If some of the encrypted data blobs were taken (no evidence that they were/weren't yet)... wouldn't it be necessary for a user to change more than just the (possibly brute-forcible) master password?

    Pm

    ReplyDelete
  6. For free users it might be worth looking at enabling Grid Authentication to provide that extra security step. I have done this and depending on the outcome from this possible intrusion I am then looking at YubiKey to add the extra security step if I stay with Lastpass.

    In theory I thought that even if data was copied from the servers it would be AES encrypted so useless but it sounds like the email address, password hash and the server salt used in the hash creation were all available for someone to obtain and the concern is that the email address and the cracked password could then be used to access your account. I am hoping that a password change and having an additional security step - either free grid or paid for yubikey - will mitigate this risk.

    Only Lastpass would truly know how risky any data theft could be so we have to be guided by them.

    On the one hand Lastpass allows you to have strong unique passwords for every site you log into therby increasing your security and on the other hackers would have access to all this information if they were able to access your account. That is a lot of trust to place on a free password service and this is a big wake up call.

    ReplyDelete
  7. I just switched to LastPass within the last week, so I'm not very happy with this, but I do appreciate the immediate response to a possible intrusion.

    I am also getting an error when I try to change my password: Your settings could not be updated. Please retry later. error

    I get this on both Chrome and IE.

    ReplyDelete
  8. If there is a suspicion of a security breach, why wasn't an EMAIL sent out to all LP users? You put this on your company blog? I had to find out about this from an external news site. Really, not cool!

    I also wasn't asked to change my password upon login this morning, so something isn't right here. I have now tried to change my master password, but I am getting an error when trying to do that. Apparently after re-encrypting the data it is unable to upload the info. So either your servers are getting hammered or something is seriously messed up. This is starting to look like amateur business - I am VERY disappointed right now.

    ReplyDelete
  9. I can understand what people at lastpass are doing is to protect my data.

    However, after I have changed my password and I relogin to lastpass on loging in lastpass asks me to change my password again and this keeps happening on subsequent logins which is very frustrating to say the least.

    Please fix this. I also want to take the opportunity to the people at lastpass as they have made my life a lot easier by developing lastpass.

    Hope this gets fixed soon.

    ReplyDelete
  10. @Thomas B

    Yes.. My DATA shoudl be on the server.. however my PASSWORD should not. Thats the whole point of Lastpass..

    Without the PASSWORD the DATA is useless.. I'd happily send that to anyone.

    ReplyDelete
  11. Getting the same error as ABOVE when changing password ?

    I am getting "Your settings could not be updated" error after trying to reset the master password. I believe other users have encountered same issue.

    Please fix this and add a comment for the same in the blog.

    Thanks

    ReplyDelete
  12. Upon changing my password, it downloads my data, re-encrypts it, then tries to upload it back to LP, but I receive an error: "Your settings could not be updated".

    Please help!

    ReplyDelete
  13. Two goes at changing my master password and all works now. Cheers :)

    ReplyDelete
  14. I need help...I looked for pocket and didn't like what I found, for one thing having to pay for a download, other "pocket" programs didn't look safe or looked too invasive or didn't seem to apply to email recovery...searched and tried other password finders. I don't know how to log in offline although I tried. Sorry to be low tech but a post that includes a link to the appropriate pocket or a step by step instruction on how to do the off line login would be nice. I wasn't angry but now I am after trying to figure this out on my own for more than an hour. Now I guess I have to watch this forum hoping to see some help.

    ReplyDelete
  15. Found this blog posting thru a Google search.

    Each time I tried to log into the LasPass site it accepts my ID & password, but, before my sites appear I see "An error has been encountered while loading your sites. Please relogin." and I am returned to the login screen.

    From this post I am guessing this is because I am trying to log on from work instead of home. Will check again this evening.

    Please keep us up to date on your findings. I love the service and have come to reply upon it. Good call making security a priority.

    Good luck.

    ReplyDelete
  16. Getting the following error when trying to update my password:

    Your settings could not be updated. Please retry later. error

    This is not the way to start the day.

    ReplyDelete
  17. can't change master password. losing the trust...

    ReplyDelete
  18. Your settings could not be updated. Please retry later. error

    ReplyDelete
  19. I changed my master password as a precaution, but now I keep getting this:

    An error has been encountered while loading your sites. Please relogin.

    I can't view/use all my sites. Help!

    ReplyDelete
  20. ....
    LastPass must reencrypt all of your data because of a key change.

    Uploading your re-encrypted data...

    Please keep this page open until the operation completes.
    ...
    Your settings could not be updated. Please retry later. error
    ...

    ???

    ReplyDelete
  21. Can not change master password .....
    This is what I get....
    "Sorry!A problem occurred when changing your password. Please try again."

    Every time..... Same error message....

    ReplyDelete
  22. It looks like LP has stopped responding to this thread. Like many users, I too did not receive any email announcement yesterday or today (5 May) nor was I forced to change my master password. The service is working exactly as it always did, so something is clearly amiss because many users have been locked out. I wonder if those who used strong passwords (like me) were exempted in this first round...

    ReplyDelete
  23. "We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs."

    This is a bit worrying any plans to notify those users? Since it sounds like for those users ALL passwords are now available. If they have the password and the data.. they can use those offline even if you have changed the master password..

    Sounds pretty bad to me.

    ReplyDelete
  24. I'm completely dead in the water without LastPass. The master password reset is failing with error:

    Your settings could not be updated. Please retry later. error

    Not cool. I can't access anything now until this password reset is fixed. Seriously reconsidering my choice of LastPass right about now. And I'm a paying customer and have been a champion of LastPass for a long time.

    ReplyDelete
  25. Any ETA on the "error" after re-encrypting/updating? I'm locked out of my accounts until this is fixed.

    ReplyDelete
  26. LastPass, while I don't know if this financially viable for your company, but to help regain trust and keep your free users, I suggest offering a free or discounted upgrade to LastPass Premium. I now see the necessity of multifactor authentication and other extra security features, but don't think I should have to pay full price to upgrade because of a possible security breach on your end.

    ReplyDelete
  27. Naw, I had a strong password (30 chars of random characters and symbols) and I've been locked out of my account. "Please try again later. Error"

    Disappointed in this; if I know my password was strong and I have nothing to worry about, just let me keep my damn password. I'm just going to change it and then change it back, but can't even do that because an error prevents me from changing my password. Good intent, but try making it work!

    ReplyDelete
  28. Sigh, can't you people actually read and understand what's happened before crying about your password being stored and your data compromised etc.
    Your password wasn't and isn't stored, just a highly encrypted version of it that would only be crackable if you've been stupid enough to have an easy dictionary word as your master password. No one has managed to get your other passwords etc so stop giving them grief about it. Well done the LastPass team for being so honest and proactive about this issue.

    ReplyDelete
  29. Can't change my password either.

    ReplyDelete
  30. I have to say how impressed I am with the actions taken by LastPass. Not only did you immediately prepare for the "worst case scenario," but by disabling account access until ownership control was verified, you also rendered any pilfered information useless.

    This is just another reason why I recommend LastPass to all my friends and family.


    Thanks!

    ReplyDelete
  31. Same error as others "A problem occurred when changing your password. Please try again."

    No email from lastpass, had to google to find this page. Why is this buried on the blog and not on the front page?

    Unable to login, unable to access a number of the sites I need for work. Awesome.

    ReplyDelete
  32. I get an error when I try to change my master password. Settings could not be updated. Please retry later.

    Not at all helpful, really.

    ReplyDelete
  33. Forcing all users to change their passwords, even those who knowingly created a strong one, is a mistake. Doing so while having some kind of flaw that prevents users from changing their passwords and accessing their account, is a huge mistake. I've effectively been locked out of all my accounts for basically no reason, given that I have a strong password.

    I hope LastPass realized the magnitude of this from a PR standpoint.

    ReplyDelete
  34. I agree with @Anon 9:51am. I too had a 30 character, very secure password and am not terribly worried. Why am I being FORCED to change my master pass? Now I can't access any of my credentials, and I am basically screwed on a very busy morning for work.

    ReplyDelete
  35. Same here... Your settings could not be updated

    ReplyDelete
  36. To everyone who is using Chrome and having an error when trying to re-set the password when it is re-encrypting the data: Try using another browser like Internet Explorer to do this. I was having trouble for the longest time, but it worked with IE. I'm not sure what the issue with Chrome is, but it seems to be giving many people problems with resetting the password.

    ReplyDelete
  37. Anonymous said:
    "Changing password is obviously sensible, but rather like closing the gate after the horse has bolted as if the data has been acquired it'll be cracked using old passwords."

    If you read what has been stated, LP do not believe any actual user data was taken, only potentially the password hashes and related stuff. So, if this is the case, and the infiltrators run a brute force attack on the data they have, and you have used a very weak password (which is insanity, but...) which can be guessed via a dictionary attack - then they have your old password, and can then log in to LP as you to retrieve your data.

    This is why people are being forced to change their passwords.

    *If* the data they took is decrypted via a brute force attack and your weak password is recovered, the *most* they'll be able to recover is an old password, which won't be able to log them into your account and retrieve your data - so your data will still be safe.

    So changing your LP password is *not at all* like closing the gate after the horse has bolted.

    ReplyDelete
  38. I confirm Melaine's comment.... changing the password in IE works, fails in Firefox and Chrome.

    ReplyDelete
  39. This is why I'm not crazy about the idea of my password file sitting on a server with millions of other peoples' password files -- it's a huge target. I use 1password and my password file exists only on my local machine.

    ReplyDelete
  40. This: "If you read what has been stated, LP do not believe any actual user data was taken, only potentially the password hashes and related stuff."

    Is not what they said.. They said they didnt think MUCH user data had been taken.

    ReplyDelete
  41. I'm glad to see there are so many security experts.

    To LastPass: this seems like it could have been handled better, but your actions were warranted and I appreciate you not just sitting on it.

    ReplyDelete
  42. I've changed my LastPass master password and I lost all my passwords ...
    The sites are still in my list but the username & password info are lost now .....

    ReplyDelete
  43. I don't know how it is possible, but my account appears to have been deleted. I just logged in to my gmail, to find an email from lastpass showing a confirmation message of account deletion.

    Fortunately I was able to restore control over the gmail account, thanks to Google's Authenticator, but I am a bit confused now.

    Is there a way to get my account back, or is everything gone meaning that I no longer have anything but that whoever got in to Lastpass now has everything I stored on it?

    ReplyDelete
  44. my data was updated but now it is gone (after login) and I keep getting the "change pwd" screen

    ReplyDelete
  45. I can login, bot my passwords are gone... I hope it's temporary.

    ReplyDelete
  46. A (disappointed) fan!May 5, 2011 at 10:07 AM

    My partner just changed her master passwords & received various status messages regarding re-encryption of her data including a final one that re-encryption was complete. Then logged back in with new password. All her entries are corrupted or empty. H E L P !!!

    ReplyDelete
  47. Royal pain in a$$. Shopping for a PC-client app. Sorry LP. I've often reco-ed this but no more. Can't be trusted. End point.

    ReplyDelete
  48. I just updated my password and now when I login all passwords and notes are either blank or have asian characters in place of any writing.... is there a way to restore the account?... currently almost all my entries are now blank after the password update. UPDATE PLEASE!

    ReplyDelete
  49. Received error message when trying to change master password 4 or 5 times this morning. FInally able to change the master password, only to login and all my data is corrupt. Help!!

    ReplyDelete
  50. The entries are corrupted on the website.. but try the plugins.. they are working ok there for me.

    ReplyDelete
  51. I am also getting the error when it fails to upload encrypted data after trying to change my master password. Password change fails, too.

    ReplyDelete
  52. Having changed password and receiving various re-encryption status messages including re-encryption completed, and now logging in with new password, all entries are either corrupt or empty. H E L P !!!

    ReplyDelete
  53. I received notice about the security problem via an online article, not from lastpass. I changed my master password (1st time it wouldn't take it), and now all my passwords are wiped out!

    Why is this happening?

    ReplyDelete
  54. I also want to praise your transparency regarding this issue. It is good practice anyways to change your master password from time to time, and it being the only password you have to remember you'll memorize it quickly anyways.
    Lastpass naturally is a huge target for attacks and to err on the side of caution is prudent, even if in this case it's not really necessary in my view.
    If you don't feel comfortable with Lastpass anymore, I recommend you educate yourself about how your passwords are stored at Lastpass or just trust companies like Facebook and Google to be a repository for your logins...

    ReplyDelete
  55. Both Chrome and FIrefox plugins are corrupt for me.

    ReplyDelete
  56. I am not able to access my passwords from my work laptop, but I can still get to my passwords from my home PC using Firefox. I have tried to update my master password several times now, and each time it re-encrypts my password files - then refuses to let me in with my new password.

    Thankfully, I have my email and work passwords all memorized, otherwise I'd be in trouble.

    Let us know when the bugs are fixed. Thanks.

    ReplyDelete
  57. Change the master password without problems.

    Keep the good work LP !

    Everyone is changing password right now and maybe that´s why you are getting "error, please try again later" , don´t panic and try again later .

    ReplyDelete
  58. After receiving the "Your settings could not be updated" error mentioned above a few times, I was able to change my master password. After re-installing the Chrome browser extension, all the entries in my vault are there, but the data in each entry is gone. No logins, no passwords. Have you encountered any instances of data getting wiped out?

    ReplyDelete
  59. Passwords are corrupt for me too. This happened last time I changed the master password. They should be back soon, it took under an hour to have them reencrypted (or whatever is done on their side) and reuploaded the first time. I imagine with everyone changing their master password, it make take some more time though.

    ReplyDelete
  60. It's absolutely fantastic that I had to find this out via the Full Disclosure mailing list this morning instead of, you know, an actual email from LastPass. I suppose it's a mixed blessing that I only use your service for incidental sites; nothing of value would be compromised, however, I wonder how many other users who only use LassPass sporadically will end up having their master passwords unchanged for some time.

    ReplyDelete
  61. So. I changed my password. At first I continued to get 'an error occurred.' FINALLY when it let me in, I come to see All. My. Passwords. Are. Gone!! Including my secure notes.

    Now, HOW DO I GET THEM BACK??!!!

    ReplyDelete
  62. While this is disappointing, when compared to the last hack with Sony, I appreciate your quick posting acknowledgment of the problem, what you think happened and what you think we should do.

    I will probably add some form of multifactor authentication going forward. I just wish I could use a USB key at work (they've locked down USB ports)...

    ReplyDelete
  63. I've changed my password, and guess what?

    All the passwords in the vault are gone.

    All of them.

    I can see the sites, but that's it.

    Thanks LastPass, but goodbye.

    ReplyDelete
  64. Thank you for your paranoia, quick action and full disclosure. I see that it's quite inconvenient for you, but these things are bound to happen, and I appreciate your paranoid reaction and wish you luck working out the kinks in the system (practice makes perfect eh? =).

    Thanks!

    ReplyDelete
  65. I want to go on record and say that first off, LP has done a fantastic job at what they do. Its not their fault if 1) customers (free or paying) have created shoddy, weak, easily guessable Master passwords - you shouldn't be doing that in the first place. 2) As far as 3rd party auditing? give me a break; they already have a secure page set up so anyone can deep packet inspect how they encrypt, decrypt and store your personal data, so please find another excuse to satisfy your delusions 4) Quit bringing up SONY as a poor example of lackluster security measures; SONY still claims their credit card table was encrypted all along, even though security researchers are claiming that the hackers would have had access to even that database since they would have been looking at it from within. My point is don't confuse a huge corporation that thinks they can get away with poor security management with a smaller, more in tune company like Last Pass, where I believe Mr.Siegrist is a partner, who has been helping the lazy people commenting here. I don't see SONY's CEO commenting on their blog (well OK Seibold is but still, my point stands)
    5) As the company alluded to in their post, they saw, quit quickly i might add, anomalies that they didn't like, and acted quickly. Even though they disclosed that they didn't think anything important was breached, that there was nothing to be concerned about, they alerted everyone as soon as possible (unlike Sony, as folks are claiming) and they decided to take pre-emptive measures and people are complaining? Bullshit. Quit whining about a free product, and even the paid version (which I purchased myself) is pretty cheap, considering the amount of protection they have implemented in their product and are providing for you; other corporations that utilize the same level of protection are prohibitively expensive.

    Furthermore, I'm sure hackers aren't going to care about what email you have stored, or what little money you may have (a free product don't forget) in your measly bank account, so please, enough already.

    Philip

    ReplyDelete
  66. Changing my password has caused ONE GIGANTIC CLUSTER EFF!!! 151 stored passwords are all junk, no data in them, just cute little icons and a bunch of Chinese jibberish all over the page! I guess I am going back to KeePass and 1Password! DAMN YOU GUYS!!

    ReplyDelete
  67. I am a paying customer. I don't consider a blog post and password change enough notification.

    - Where is an email to alert your customer. I know this takes a while but you need to do this in addition to the other methods of notifying your customers.

    - Why hasn't anything about this been posted via your twitter account?

    - Why have you not posted a big message to alert users on your home page, or at least on the login page.

    OF COURSE they _ABSOLUTELY_HAVE_TO_ do better than Sony. A compromise of your password database has far greater implications than a breach of Sony's PS network. You should not be praising LastPass for this. It is to be EXPECTED!

    Furthermore, there are some real valid points being made here that should really get answered.

    - What prevents the potential attackers from simply repeating their attack since no specific vulnerability has been identified or fixed?
    - When will the forced password change affect users who's IP address hasn't changed, and will they be forced to change the password at that time even if they manually change it now?
    - Why is it possible that your Asterisk phone server can be used as an attack vector?
    - You seem to make the assumption that email accounts can be used to verify account ownership despite the possibility that these email accounts may have been compromised as a result of this issue.
    - Why do you allow the creation of a master password that can be brute forced?
    - What caused the "mobile device" and now get "unknown message" errors and when will this be fixed?

    ReplyDelete
  68. Yes, I've changed my password and now everything in my vault is all a bunch of junk characters.

    Lastpass, goodbye.

    ReplyDelete
  69. So I changed my master password waited for it to finish re-encrypting my database. However after login with the new password ALL of my data seems to be corrupted!

    ReplyDelete
  70. changed my password now all my data is broken and I CANNOT LOG IN. OH YEA!!!

    THANKS FOR NOT PUTTING THIS ANYWHERE ON YOUR HOME PAGE!!! JUST KEEP ON SELLING CRAZY!!

    ReplyDelete
  71. If you've changed your password and now your passwords are corrupt/blank, you can try using LastPass on a computer that you haven't updated the password on, in offline mode.

    I used my laptop (which was off during the time i changed my password) made sure it had no connectivity, signed in to lastpass using my old password and then exported my database.

    ReplyDelete
  72. I changed my master password. I followed your instructions. Now my account is all messed up. My usernames are all garbled and the passwords are gone. This was not supposed to happen. How long before I can get back in successfully? I sent an e-mail to support@lastpass.com but I am still waiting. This is ridiculous.

    ReplyDelete
  73. Thanks for the communication, Joe, et al.

    Though I kept my email password separate, and one that I knew--this is a good lesson that I will always keep it that way. That way I can never be locked out of email.

    For everyone else, here's to hoping your Lastpass password was very secure--it's always a good idea to have a non-dictionary, difficult, and long password. PITA at times, but in these cases, a pretty good idea.

    I think after the PSN fiasco, LP is being super safe, and I'm glad for that.

    ReplyDelete
  74. If you are about to change your password STOP - download the POCKET.EXE application from Lastpass and export your passwords to a local encrypted XML file. Then if something goes wrong you still have your passwords.

    ReplyDelete
  75. It aid it sent me the e-mail, but I haven't received it after 5 minutes :(

    ReplyDelete
  76. THE CORRUPTED PASSWORDS ARE ONLY VIA THE SITE/VAULT IN BROWSER.

    CHECK THE PLUGIN.. THEY ARE PROBABLY FINE THERE. (Ive checked 3 accounts now and have the same in all three)

    ReplyDelete
  77. I am also getting "Your settings could not be updated" error

    ReplyDelete
  78. I am with Philip, LP does a great job. I'd rather LP err on the side of caution. Learn from this and improve.

    ReplyDelete
  79. WOW This is not even on Your home page.
    SAFE MY ASS. ...I am SOOO MAD OVER THIS..

    ReplyDelete
  80. Half the people on this forum are a joke:

    "I appreciate the response.... everyone is human.... blah blah blah.."

    This is unacceptable. Its like giving a bank your money and then they lose your money to a thief. Lastpass is in the business of passwords. It is simply not acceptable for them to lose such a valuable asset everyone has trusted them with.

    We need details. I am a security professional and some very very valuable and important questions have been shared within these comments. There have also been some very troubling responses from Lastpass.

    " 1.25+MM users would take too long to email unfortunately. " - Are you kidding me

    ReplyDelete
  81. Seems to work in Safari though. I hate Safari

    ReplyDelete
  82. This just messed up all my saved info, now what???

    ReplyDelete
  83. I submitted a help request concerning all of my data being gone after a password reset, and now the site shows that I have no open tickets. I guess they just deleted my request.

    ReplyDelete
  84. I changed master password , then lastpass reported error when upating my sites. I retry and now all my sites are EMPTY, no user, no password.

    IMHO, No further comments are needed

    ReplyDelete
  85. I followed instructions and now all my categories are gone, I only see icons (no site names) and there are no usernames or passwords. In chrome, firefox and on the lastpass site. I can't do any work. It will take dozens of hours for me to recreate, and when I do, you can bet it won't be in last pass. Shame on me for not having a back up of this info. I hope you can fix.

    ReplyDelete
  86. Here are some things that must be answered for me to continue using Lastpass:
    1. "Your encryption key is created from your email address and Master Password. Your Master Password is never sent to LastPass, only a one-way hash of your password when authenticating, which means that the components that make up your key remain local." - This quote came from the Lastpass user manual. If my master password only exists locally why is there a security concern? If my master password exists elsewhere, encrypted or not, I want to know where exactly it is stored.
    2. Where was the breach and what prevents the hack from happening again?

    I expect these questions to be answered in an email or blog post that I can find without having to rely on outside sources to find. Don't get me wrong, I am glad that Lastpass has taken this indecent seriously and am very satisfied with the way the recovery is proceeding. I just want to make my expectations clear to the Lastpass team, whom I am sure are monitoring this thread still.

    ReplyDelete
  87. i have changed my password, but now all my account are empty!!!

    ReplyDelete
  88. Just so you know, your website is completely broken in Safari. When logging in I just get sent back to the login page and when clicking "account recovery"... weird stuff happens. Works OK in firefox (I think...)

    ReplyDelete
  89. Hmm.. If i didn't get an email from you guys, should i be worried?

    ReplyDelete
  90. I am having a "ton" of problems with this change you have made. The passwords for my many accounts are garbled or corrupt and I can not use. This will be a huge problem because I must go and reset at least a 15 to 20 accounts. This is very disappointing and I recommended your software to many of my friends and colleagues.

    ReplyDelete
  91. hello..

    i changed my master password like 30minutes back...later all my data is gone...usersnames/sitenames/passwords everything became blank...

    is my data permanently gone..

    ReplyDelete
  92. changing my master password has corrupted my entire lastpass vault!

    please hold off changing your master password until they get their act together!!

    ReplyDelete
  93. VAULT CORRUPTED!

    As a result of reading this post, I successfully changed my master password, but now all the information other than the site URLs is MISSING! I have "refreshed", deleted the cache, even uninstalled and reinstalled LastPass. Same thing. Most of the site names have been blanked (the URLS have survived) except the first three which look suspiciously like random unicode characters being printed by Firefox. This makes me wonder if the re-encrypt after the password change failed? Ahh! I had many passwords stored here! What gives?

    -- A little bit worried/frustrated LastPass PREMIUM user.

    ReplyDelete
  94. Changed my password as directed by the LastPass website; actually created and saved it in a local text file. Tried to log-in with the copy/pasted password, getting "Invalid password!" error.

    Awesome. Awesome.

    ReplyDelete
  95. STINKS OF FISH! There has been no response from anyone purporting to be LastPass staff on this blog for hours. I deleted my account as soon as I heard, and then for interest tried to open a new one with a new password. That didn't work BUT my old password did, although I have the 'sorry to see you go' message from LastPass after I deleted the account.
    Safer to remove all trace of lastPass from your computer and try something different.

    ReplyDelete
  96. I keep getting this error after changing my master password:

    An error has been encountered while loading your sites. Please relogin.

    You a$$holes. Get this fixed!!!!!

    ReplyDelete
  97. With lots of unknowns on this incident. And lots of folks flooding the system with password updates.

    LP you think its smart to hold off making any account changes? Currently all works fins on my systems and devices.

    So I like to NOT make any changes. Especially as my master is very secure (100% when tested) and not a dictionary word.

    ReplyDelete
  98. I made the change in mind master password and now when I log back on all of my passwords, identities, and secure notes are wiped out.

    Did your process wipe them out or is this part of the hack?

    ReplyDelete
  99. I am seeing corruption on all of my entries. There is no usernmame/password, and many records may just be gone completely. This is distressing, after going through a forced re-encryption process that offered no option for backup.

    ReplyDelete
  100. Still looking for help...any poster/reader out there who can tell me which pocket they mean or how to log in off-line would be greatly appreciated. Please address response to RebeccaZ so I can see it. Lot of work combing through these posts.
    Please help!

    ReplyDelete
  101. http://204.12.26.207/last_pass_sucks.png

    ReplyDelete
  102. I tried to log in, sent myself the email, confirmed, then changed my password. Now my accounts are all garbled - I'm guessing that they didn't decrypt/re-encrypt properly. Not happy!

    ReplyDelete
  103. Screw you guys - I'm gong homw.

    ReplyDelete
  104. I reset my master password and now all of my passwords are scrambled, some showing Chinese characters. LastPass has screwed up completely!!!!!!
    Help!!!!

    ReplyDelete
  105. SAME THING HERE HELP!!!!

    http://204.12.26.207/last_pass_sucks.png

    I reset my master password and now all of my passwords are scrambled, some showing Chinese characters. LastPass has screwed up completely!!!!!!
    Help!!!!

    ReplyDelete
  106. Kudos for being proactive in ensuring our information is protected from brute force attacks even as you always keep it protected from password theft.
    Bummer your decision was not supported by capacity in your web system. Consider some scaling strategies in the future.

    Keep up the good work, and don't let those who complain but do not understand deter you.

    ReplyDelete
  107. I just changed my master password and all of my passwords and logins have been corrupted... they are either blank or gibberish.

    ReplyDelete
  108. When i log in i am told to activate my email. I have done this twice but still i am redirected to the page to send another activation email.

    ReplyDelete
  109. Also wanted to confirm that i keep getting an invalid password message whenever i try to log in or whenever i try to change my password even though i know it is right (password hint is still the same). I appreciate that you have this blog but this situation actually shows that the one password you have to remember can turn into the one password you do not want to have a problem with.

    ReplyDelete
  110. Thanks for your decision to go public with this Lastpass. Whilst some people have valid points and they are right to be distressed, they do not understand that what you have done is correct given the scenario.

    As a paying customer I request you please drop the arrogance and look for 3rd party help in the form of Auditors.

    ReplyDelete
  111. Changed my master password. Was asked to re-login. Now I have access to someone else's data. http://i.imgur.com/XbwCH.png

    ReplyDelete
  112. "Do not understand", how about shut down the service while this is being fixed ???

    I am changing all of my important site passwords ASAP.

    HAVING TO CHANGE YOUR PASSWORDS = THEY MAY NOT BE SAFE .. IF THIS WAS HACKED SO COULD SALTS + HASHES.

    NICE JOB LASTPASS!!! Kudos MY ASS!!!

    ReplyDelete
  113. Someone else asked this, but I didn't see an answer "I thought the whole point of LastPass was that even if hackers were able to obtain bits of information regarding your account, none of it would be even legible. The passwords are encrypted, the information is encrypted, and LastPass even boasts that they don't keep our password stored on their server in any identifiable way. So why force a mandatory change of password when the system itself should protect us against attack?"

    Thanks,
    -snekse

    ReplyDelete
  114. WOW!!! Changed my master password. Was asked to re-login. Now I have access to someone else's data. http://i.imgur.com/XbwCH.png

    ReplyDelete
  115. Thats why I don't use crap like this :)

    ReplyDelete
  116. Changing the password does not work. I get a window asking to update the changed password, but the window is greyed out and unavailable

    ReplyDelete
  117. Wow, way to break your own service.

    I changed my password but it won't let me login with it.

    Sighn.

    ReplyDelete
  118. The second post above at May 4, 2011 11:18 PM advises to login "offline mode".
    I disconnected from the Internet before launching FireFox and then clicked on the LastPass icon and attempted to login.
    That seemed to fail - I was unable to right click and see any of the hundreds of sites to which you hold my passwords.
    Is there a better way to select "offline mode" ?

    Several times I have sent my email address via
    https://lastpass.com/activate.php?email=myname%40mysite.com
    Now you are telling me that Gmail is putting your response into spam and I should mark it as NOT spam.
    How do I mark it as Not Spam if you will not give me my Gmail password ?
    How do I read your "further instructions" without access to my Gmail Account ?

    NB My ISP is TalkTalk who give me a dynamic IP address once or twice a month. I am probably still using last week's IP address but cannot log into my router to confirm because again you will not give me my Router Password.

    I STRONGLY RECOMMEND that you permit a secondary email address for delivery of "further Instructions" so that when you lock out my primary address there is a fall-back.

    WHAT DO I DO NOW ? ? ?

    ReplyDelete
  119. I cannot believe you are forcing me to change my VERY secure password. In fact I think it is ridiculous! You could give the option but not force people.

    ReplyDelete
  120. LastPass Team:

    I'm not currently a LastPass customer, nor was I familiar with what you did until I saw this post over on Hacker News.

    Given the Gawker intrusion months ago (that got me) and the Sony breach (that got me again) I have been conditions to expect my "Cloud" companies/sites to more or less compromise me and then notify me of the problem well after the fact; too late for me to do much on my own.

    I've also come to accept short-comings on the part of security teams at these companies and just expect that I'm on my own.

    Last Pass seems to be the OPPOSITE of that.

    Before you even have all the details, but after enough detailed investigation to realize something *MIGHT* be going on (still no proof of it) you notified your users immediately so they could take precautionary steps themselves.

    The detail you provided gave investigation steps that I didn't think anyone was even doing anymore; checking traffic in/out from sources to make sure it's all accounted for, sys logs, connection logs, etc.

    Color me impressed.

    Your proactive approach to this (as painful as I'm sure it has been) has actually convinced me to sign up.

    In some unexpected way, this post ended up being some solid marketing for you guys because as a non-customer, I got to see how you operate inside and I'm sold; you guys know what you are doing.

    Keep up the good work and know that not all the fallout from this is bad/embarrassing. I am seeing much the same impressions I had over on Hacker News and from some comments here from the folks that appreciate what is being done.

    ReplyDelete
  121. Be careful folks. After a couple of errors "your settings could not be updated" my account updated the password but now my Lastpass database has all the entries but they are all blank! That is, no usernames or passwords!

    ReplyDelete
  122. What the hell? I just changed my password, i wrote it on notepad to double check to see if i wrote it correctly and then copy and pasted it.

    Now LP is telling me the password is invalid, i DON"T have any of my passwords stored so im locked out of EVERYTHING including my email..

    what am i supposed to do?

    ReplyDelete
  123. "Sorry to hear that Travis. Simply changing your master password would have done the trick." --https://twitter.com/#!/LastPass/status/66154113439768577

    Umm NO? Seems like changing the master password currently creates more problems than it solves. For people who already had very strong master passwords especially.

    ReplyDelete
  124. Here's the thing. I *know* my password, and it *wasn't* a "dictionary word" ... but as of this morning I'm completely locked out. And my attempt to reset the password using YOUR tools have only made it WORSE. (I submitted a password reset, and CHANGED the pwd hint so I could see when it changed. But you are still showing/delivering the *old* pwd hint.)

    Add to this the pathetic, half-assed letter above ... and the total void of ANY actual support to resolve the problem (which is likely system-wide, and affecting a ton of people), and you have an EPIC fail. Why would ANYONE **EVER** pay you anything for "premium" service.

    Oh, and you COMPLETELY screwed up xMarks, too!

    You suck.

    ReplyDelete
  125. "Before you even have all the details, but after enough detailed investigation to realize something *MIGHT* be going on (still no proof of it) you notified your users immediately so they could take precautionary steps themselves."

    Users, including premium subscribers who pay for the service, have NOT been notified properly actually. Nothing was on the homepage, no emails were sent, their twitter didn't mention anything. The only thing was this blog post, which not everyone reads. They could do a lot better.

    ReplyDelete
  126. Help.. After changing master password now my entire vault is corrupted. I have many passwords, mostly porn passwords.. Now I cannot access them at all.. No porn for tonight.. Help...

    ReplyDelete
  127. I'm having problems similar to the ones reported by others here.

    Latest reported message when trying to login to LassPass: An error occurred. Please try again in a few minutes. Server: 38.127.167.14 ip: 72.48.95.234

    ReplyDelete
  128. Any chance you can post the instructions here to reactivate? I am not receiving the email upon clicking on the button to send it. Not using gmail nor is it going to spam folder.

    Really need to access my passwords for work asap!

    ReplyDelete
  129. I am trying to log in from an IP address that I use all the time, and it's not working, 11:15am EDT Thurs May 5. My master pw is a 10 character, non-dictionary random string...and I still cannot log in via LP Web site on Firefox. Should I just wait it out?

    ReplyDelete
  130. I only found out through ...
    PCWorld Latest Technology News feeds, otherwise I wouldn't have known.
    I cannot change my password either, time to say goodbye!

    ReplyDelete
  131. @RebeccaZ
    In the browser with which you normally use the LastPass Plugin, go to File --> Work Offline. Then login through the plugin as always.
    [If you're worried about losing your passwords, you can always export your locally stored LP vault by going to 'Tools' --> 'Export to' in the LP plugin. I would recommend exporting it as an encrypted LP file, the other options are not encrypted!]
    This will open a new tab prompting you to update your master password. Once that is done you'll receive a verification e-mail, click on the link inside and your new master password is activated.
    I had to re-login with my new master password again, and haven't had any problems since then.

    While you're at it, I recommend enabling the multi-factor authentication grid (click on account settings inside your vault). It is available for free users as well. This restricts login only to devices you have authorized, so even if you're master password is cracked, the hacker would have to have access to your device.

    ReplyDelete
  132. Last pass you'll ever have to remember becuase everybody else on the planet might have it by now...

    If the signon password is compromised what good is it for a forced change... these guys don't know enough about security to be trusted with long on profiles. Users be-ware

    ReplyDelete
  133. Our DB is running behind right now - your master passwords have been successfully changed but because of the high amount of traffic we're still pulling your old vault data, which won't decrypt properly with your new master passwords, which is why it looks like gibberish. We're working hard to resolve our server issues and when we do your data should decrypt properly.

    ReplyDelete
  134. All,

    If you're seeing a "settings could not be updated" error, please try clearing your browser cache, then going through the steps again.

    If you see a blank vault, please wait 10-15 minutes as our databases catch up with the changes. If you continue to see decryption errors after this time, please contact our support via https://lastpass.com/my.php.

    We are working as quickly as possible to address these issues and answer user questions.

    Best,
    Amber & the LastPass Team

    ReplyDelete
  135. I have a problem:
    Every time I and close open mozilla firefox LastPass gives me this error:

    "An Error Has Been Encounttered While Loading Your Site,Please Relogin"

    Error Image:
    http://www.astahost.info/host/images/6932011_05_05_17h17_25.png

    ReplyDelete
  136. Lots of questions here and only a few answers. I suggest getting an FAQ about this hack and the risks setup asap for LastPass users.

    I have a strong password and use grid auth but am still unclear if I should sleep ok or change all my pw's.

    ReplyDelete
  137. I understand the concern and appreciate it and have no problem changing my master password HOWEVER since last night I keep getting nothing but error messages so I'm now getting extremely annoyed!!

    ReplyDelete
  138. I'm trying to change my password but it says its too busy. Its making me a sad panda

    ReplyDelete
  139. Those directions in the first post are absolutely awful. WTF is Pocket?

    ReplyDelete
  140. Hey guys I love you product keep up the good work and you def handle security better than me storing those passwords locally on my computers

    ReplyDelete
  141. Hmmm.. all my sites have now dissapeared from the plugin and the browser.. something is afoot.. they were working fine 5 mins ago.

    ReplyDelete
  142. I think the site is getting slammed as parts of the US come online, it's working sporadically for me.

    ReplyDelete
  143. Thanks for your responsible handling of this. As a member of the security community its refreshing to see paranoia amongst those handling my sensitive information. Keep up the good work.

    ReplyDelete
  144. Funny, I deleted my account yesterday after realizing that XMarks, my real reason for being at LastPass, would no longer sync Passwords without upgrading to LastPass - a difficult process I abandoned after several e-mail exchanges with support. Hopefully "delete account" really means "delete" to LastPass. I'm not sure I'm that confident it does, though.

    ReplyDelete
  145. One of my staff also uses LastPass. She got a password reset message and changed it. Today, she can login but her user names and passwords are either missing or in Chinese characters. I did an export to CSV just to make sure it was not a display bug and the info is truly gone.

    Will she get the information back?

    ReplyDelete
  146. Maybe forcing a password change on everyone wasn't such a great idea if your servers aren't able to handle that load. Doh!

    ReplyDelete
  147. @Lastpass: There will always be attacks; it is a fact of Internet life. I think you have acted prudently under the circumstances, and I congratulate you for your transparency.

    @Anonymous: If I were a LastPass competitor, I would do exactly what you have done: hide in the shadows and cultivate Fear, Uncertainty, and Doubt. All without producing any valuable go-forward suggestions.

    ReplyDelete
  148. Is it worth deleting login information and going through each website individually changing passwords?

    ReplyDelete
  149. Changed my password and all my sites were deleted from my vault........... Grrrrrr.... Help!!!!!!

    ReplyDelete
  150. I tried to reset twice and got an expired link. Will try again later.

    ReplyDelete
  151. Pocket
    https://lastpass.com/pocket.exe

    This is a Lastpass program that allows you to read all your passwords and export them to a locally encrypted XML file. This XML file can be opened in Pocket in the future to access your passwords even if Lastpass has disappeared.

    I use it weekly to keep a local copy of my passwords up to date incase something happens to lastpass the following week.

    ReplyDelete
  152. Yeah. It's been an hour and my DATA IS STILL CORRUPTED! Oh, and this link: https://lastpass.com/my.php after clicking 'contact us' takes me to a freaking FAQ!!

    Sorry, LastPass You fail.

    ReplyDelete
  153. I have missing or in Chinese characters.
    Will I get MY information back?

    ReplyDelete
  154. Notice to people who cannot login:

    I can successfully login via the LastApp browser add-on, but not through the website itself.

    Once logged into the add-on, you can go to My Vault to see your sites.

    For me, the initial screen contains no data. I had to click on Account Settings at the top and click something like History in order to be taken to the main Vault page with all the sites on.

    It seems that, due to an overwhelming number of people all trying to log on/change passwords etc., it is hit and miss whether you can access the data or not.

    If you can access your data and it is fine, I would suggest that you export your data temporarily (to a secure location, of course) so that you have a copy of your passwords.

    Also note that the more you try to access the system, the slower the system will be.

    If you don't need your passwords right now, I'd suggest waiting until everything has calmed down.

    It will be sorted eventually, and if you are extra paranoid then you can go to your main sites and generate new passwords.

    Hope this helps

    ReplyDelete
  155. Yeah you will.. mines just recovered.. first it was chinese on web and working in app.. then it dissapeared from both.. now its back and fine.

    ReplyDelete
  156. Can someone please tell me how Keepass is anymore secure than Lastpass? Even though Lastpass is stored on the internet, arent they both ultimately encrypted files containing all our passwords that need our passwords to unlock?

    ReplyDelete
  157. Good Lord... You guys had to anticipate an overwhelming response on your servers when you do something like this. I see this as way overkill because I use a strong password and as a paying customer, I expect better than this.

    Better change your motto "The Last Password You'll Ever Need" because it's obvious you've failed miserably. Luckily I keep a copy of all my passwords in a separate encrypted database, but this affects me most on my portable devices.

    Please consider using a 3rd party auditing firm to secure your systems. Perhaps the "we think" and "better safe than sorry later" can be replaced with "we're confident".

    You guys should be better than this. Disappointing.

    And for the idiots that don't use a strong password, force them to.

    ReplyDelete
  158. I get this when I try to access the site.

    An error occurred. Please try again in a few minutes. Server: 96.255.24.82 ip: [my ip]

    ReplyDelete
  159. Me again.
    Please address any advice to Alan9876 so that I may search for "Alan9876" and find the advice without reading all the millions of posts this disaster will cause.
    I tried to register as "Alan9876" but of course that is only possible when I read the Gmail email which needs a password.

    A real catch 22.222222222 situation ! !

    Problem again is :-

    The second post above at May 4, 2011 11:18 PM advises to login "offline mode".
    I disconnected from the Internet before launching FireFox and then clicked on the LastPass icon and attempted to login.
    That seemed to fail - I was unable to right click and see any of the hundreds of sites to which you hold my passwords.
    Is there a better way to select "offline mode" ?

    Several times I have sent my email address via
    https://lastpass.com/activate.php?email=myname%40mysite.com
    Now you are telling me that Gmail is putting your response into spam and I should mark it as NOT spam.
    How do I mark it as Not Spam if you will not give me my Gmail password ?
    How do I read your "further instructions" without access to my Gmail Account ?

    NB My ISP is TalkTalk who give me a dynamic IP address once or twice a month. I am probably still using last week's IP address but cannot log into my router to confirm because again you will not give me my Router Password.

    I STRONGLY RECOMMEND that you permit a secondary email address for delivery of "further Instructions" so that when you lock out my primary address there is a fall-back.

    Incidentally I have seen a recent post and selected Firefox Browser File -> Work Offline
    and still cannot get to my local vault.

    Has my local master password been invalidated at my off-line passwords as well as the LastPass Servers ?

    WHAT DO I DO NOW ? ? ?

    ReplyDelete
  160. I say THANK YOU!! This may be an inconvenience, but i appreciate you being paranoid.
    I am only a free user, and have thought about paying for premium, but wasnt sure what "was in it for me". After this gets resolved and i can get back in my vault, i will reconsider my stance on that.
    I think those who complain need to consider the information stored on the server. I wold much rather be locked out for a day or 2 then have my bank info etc stolen and used by someone else.
    My credit is toast so they wont get much with my info, but some of you may have very good credit. If the wrong person gets that info you can kiss your 672 score goodbye!
    Just sayin

    ReplyDelete
  161. error accessing the site.

    An error occurred. Please try again in a few
    minutes. Server: 38.127.167.14 ip: [my ip]

    ReplyDelete
  162. I appreciate being kept informed. I'd also like to point out that this is a perfect example as to why everyone should invest in a Yubikey!

    ReplyDelete
  163. Been trying for 30 minutes and its still not letting me change my password, still says its too busy.

    ReplyDelete
  164. We have used imperva several times, They found flaws that 2 other high profile risk assessment comp's missed. not the cheapest but well worth it.

    ReplyDelete
  165. I get stuck in a cycle.

    I verify my email, log in to change my password but when I got in it says I have to verify my email again

    ReplyDelete
  166. Wow, currently overjoyed that I've been diligent about keeping my offline copies for Pocket up to date, or I apparently wouldn't be getting into any accounts (none of the other recommendations seemed to work for me) for who know's how long.

    Seems like we didn't have to be this extreme over something you think is likely nothing.

    ReplyDelete
  167. Login is slow and after i login all my Passwords are deleted.Theres nothing!!!!

    ReplyDelete
  168. I appreciate your trying to make this right. I got the "force pw change" email and changed it and am STILL not able to get into my vault. WORST, when I did log in with my NEW PW, and clicked to get to my vault, NO info appeared--as if my entire vault is gone.

    I need to know if it IS gone and if so, is any recovery possible? If not, what do I do--start again with all those sites and reregister???? A
    major pain in the butt!

    Please advise how to repair this mess!

    thank you

    ReplyDelete
  169. I hope your internal name for this debacle is "Operation Clusterf**k" because that's what it is. Sure wish I'd known what a mess your system was before I paid for a year :(

    Add me to the list of everyone else who can't change my password. What a joke.

    ReplyDelete
  170. Sorry now i have my Passwords.But the whole Process to Login and get the Passwords is really slow!!

    ReplyDelete
  171. I just use "password" as my password for everything. Problem solved.

    ReplyDelete
  172. RECOMMENDATION:

    1) File > Work Offline > (logon to LastPass using browser widget) > (click sites you might use today) > show > (jot down the passwords)

    2) Type passwords as needed into your various sites

    (notice, this recommendation just lets LastPass get their "act" together while you are not trying to do anything on the site)

    ReplyDelete
  173. Ok I last posted 45 minutes ago that I was trying to reset my password... I use FireFox and saw that someone said try using IE so I did and it let me log in using my old master password and didn't prompt a reset until 15 minutes later and then just like before I keep going through a vicious cycle of changing it going through the whole re-encryption process... it says Congratulations your password has been successfully changed and when I go to log in it's still the old F*******G password... I'm starting to get really P*&^%^D off!!

    ReplyDelete
  174. Wow.
    A service that stores all my important passwords just got hacked. What to do? I will surely delete all my info on lastpass and never use it again. Just hoping they are not keeping it for "just in case". This is just too bad and unforgivable to just go on and continue like nothing ever happened. One time is once too much.
    I'm sure my master passwords holds, but the service as whole just lost all credibilty in my eyes. Maybe an overreaction, but security is security and once something gives its all over.

    ReplyDelete
  175. Never getting the email to my Outlook that allows me to re-enable my LastPass account. I keep contacting Support and they just tell me to check my spam folder. Which I have ALREADY DONE! Can't log into any of my accounts for work and costing me hours now of business. LastPass has been the biggest headache and worst service since I have signed up. Someone for LastPass please HELP ME ALREADY!!!!

    ReplyDelete
  176. And we'll not get charged this year, right?

    This has caused more than $12 worth of problems for me.

    ReplyDelete
  177. Now it's been TWO HOURS since I updated my password, and I STILL have corrupted data.

    ReplyDelete
  178. I had gone to the Bank and had my password changed
    there due to a suspicion that money had been taken
    from my account. Have a new password and it is
    a good one. All should be well now.
    Thank you. Can i please log in with my new password?

    ReplyDelete
  179. WTF is the point in storing the salt WITH the hashed password in the database? If you have the salt you can generate the rainbow tables in a day or so on a decent machine. Someone doesn't know what they're doing.

    ReplyDelete
  180. "I just use "password" as my password for everything. Problem Solved."

    LOL! You will have new problems soon!

    ReplyDelete
  181. Will you be able to contact the users who's blobs got pulled down? If a hacker has the blob they can then brute force on these and potentially crack them open offline.

    Any two-factor auth like grid, usb or yubi-key is useless if they have the blobs themselves. They can locally brute force these.

    At least if we know our blob was downloaded the prudent thing might be to change every password in the file.

    ReplyDelete
  182. Just wanted to say that I think the LP team is doing a good job addressing the situation. Would like to have seen at least 1% of this diligence from Sony the other week.

    Keep it up guys.

    ReplyDelete
  183. Maybe I'm slow, but if the files on the server are encrypted with your salt and my password which never leaves my client, why does changing the password do anything?

    Assuming your worried about data already having been taken, wouldn't the passwords used when creating the hashed data still be the valid password, changing the passwords does nothing in that case?

    That said, add me to the long list of people who've changed my password as forced, and now have no data.

    I've spent hours this morning regaining access to my base email account, so I can request password resets from other sites.

    The silence on the problem with the corrupt passwords is speaking volumes, what is going on with the reset accounts? Do you know why the passwords and logins are corrupt? Do you anticipate a resolution or should I just start migrating my stuff someplace else now.

    ReplyDelete
  184. This is extremely poor.. I followed instruction and my PW changed (at least I thought). The new password comes up as invalid or server response issue on login when using the site login. My old password seems to still work on browser login. WTF??

    ReplyDelete
  185. Just manually had to change all my passwords at all my financial institutions and other sites. What a pain. I can't believe I trusted this site. Stupid me for trusting any "Cloud" service to protect their data. One would think a "password" service site would have better security.

    Never again will I trust LP.

    ReplyDelete
  186. ....and this is why I only use LastPass to store non-critical passwords. I will never trust my banking passwords to anything other than my brain.

    ReplyDelete
  187. So I haven't be asked to change my username should I hold that off as indicated in your update.

    ReplyDelete
  188. As others said, you should sent an e-mail to all lastpass user to describe the problem and the different steps to take.

    I find it unpleasant to have to change my password, as it was unbruteforcable. However I understand that you can't make the difference between bruteforcable and unbruteforcable but maybe you could rethink the master password creation procedure to prevent this in the future.

    ReplyDelete
  189. When I WAS able to login and change my master password (earlier B4 their server crashed) it scrambled all my online passwords. I was planning to delete all of them but now I can't even login. Nice work LP!

    ReplyDelete
  190. I just converted from eWallet and purchased Pro.

    This login issue is annoying, but hopefully it will be resolved soon.

    I am asked to verify email. I do. Then I use the link provided in the email. I get a browser sign in screen. I sign in. I'm asked to verify my email. etc etc

    At least I have my Blackberry vault.

    ReplyDelete
  191. Just one question, should I change all my site passwords too just in case?
    Another question: are you keeping all my data after account has been disabled, since it can be re-enabled? Are you really deleting entries I delete from LastPass or are these "backed up" too?

    ReplyDelete
  192. HOW ABOUT NOT MY OLD PASSWORD NOR MY NEW PASSWORD WORK!!! WHAT'S THE DEAL!!!

    ReplyDelete
  193. dont you people understand that theyre doing maintenance on their servers!?

    the service may not be back online and stable till tomorrow.

    it doesnt help that everyone keeps trying to log in and create support tickets.

    try logging in later and see if you have access to your vault

    ReplyDelete
  194. WHAT A BUNCH OF HINKY BULLSHIT! EVEN IF I WANTED TO LOG IN TO MY ACCOUNT AND CHANGE THE PASSWORD, THEY HAVE IT DISABLED!

    ReplyDelete
  195. Don't you understand that a lot of us rely on the fact that our passwords are stored on this server and they prompted us to do this... I have a lot of things that I need to do that require this program and can't get them done!!!!

    ReplyDelete
  196. I cannot log into my account. I get the reset password sent to my email, click the link, verify my email address, and still cannot log into my account. It just keeps asking me to verify my email.

    Please advise.

    ReplyDelete
  197. Similar problems for me.

    I changed my password and it took, telling me it was re-encrypting. That finished and logged me off.

    Now, when I try to login (at lastpass.com), it fails with an "Invalid password!" when I use the new one. However, if I use the old one, it appears to succeed and then after "loading sites" fails with "An error has been encoutered while loading your sites. Please relogin."

    ReplyDelete
  198. Getting a lot of strange characters in my vault and nothing is working...

    1Iv'˖jmΚ.H \hN2

    ReplyDelete