Actions we've taken:
- Multiple security experts and firms were brought in to help us, we've engaged one firm to do a further source code based review.
- We're committed to doing several reviews per year and sharing the results of these reviews.
- We've had some useful suggestions from the community -- we appreciate your input: https://lastpass.com/support_security.php
- One example: to reduce the chance of phishing Iastpass.com was registered -- that's a capital i instead of an L. We've also purchased 1astpass.com
- All non-core services have been completely removed from the LastPass network; LastPass now runs the web application and DNS servers only.
- Forums, Helpdesk, etc are run offsite on 3rd party servers.
- We're looking into moving our support tickets off our network too.
- Amazon was utilized to send out the email notification; we're better able to send large amounts of email quickly in the future, and thank Amazon for working to spin us up quickly.
- We've commissioned a write only off-site aggregated log server which can only be accessed via the console. This will allow us a guarantee that any logging is intact.
The good:
- We were prepared to both disable accounts and force people through password changes, which was something we had planned for.
- The steps we took protected all users, even those who used weak master passwords.
- Having a live backup system proved invaluable for people who ran into issues, or forgot their new master password after changing it.
We made a number of tactical errors including:
- Out of the gate, we inconvenienced a large number of people who knew their password were strong and therefore never could have been at any risk.
- Massively underestimating the amount of media attention we'd receive. This had 2 effects: 1. Greatly increased the number of users attempting to change their passwords -- our plan was for people coming from new computers which is a small percentage of the overall user base per day that we could have handled; 2. Drove a big increase in new users as people interested in LastPass attempted to check us out.
- We didn't have any previous IP tracking data on previously used computers for people without login tracking. This caused nearly all these people to face password change immediately.
- We moved too slowly to shut down password changing once the system was under stress.
- We weren't prepared to send large amounts of email quickly, especially after turning off a server. (Resolved going forward w/ Amazon)
- Some of our customers were unfamiliar with logging into LastPass in offline mode, panicing a number of them.
- Blogger (who we use for blog.lastpass.com) had some downtime through the event.
Additional changes coming:
- Our next release will make it clear how to login offline from the login dialog.
- We've purchased a large amount of additional server capacity so we can handle extreme load events better in the future.
- We'll be utilizing the 'from a new location' capability in a few new security features.
Update 9, ~11am 05/09 EST:
Many users are changing their password and then determining they can't remember it, a number have also run into issues with password changes and want to go back, you can now do this yourself without contacting us: https://lastpass.com/revert
Update 8, ~9am 05/07 EST:
We enabled password change to greater percentages overnight and now to all users. Again please note that there is no need to panic, all accounts were put into a locked down mode of only allowing previous login locations or verify via email, until password change.
We're asking any users that have current issues with a password change to use https://lastpass.com/revert to restore you from backups. Many have been people forgetting what password they changed to so make sure you practice that new password a number of times after you change it.
We appreciate your patience, we'll continue to update with any changes.
Update 7, ~6pm 05/06 EST:
Everyone should be able to login (after verifying your email if you are coming from a new IP). We've begun allowing all premium users and a percentage of users to go through password change.
Please note that there is no risk in waiting if you can deal with verifying by email when you use a computer at a new place (IP).
If you experienced an issue with a password change and want to be restored from backups we can do that too and will provide a URL to do it shortly.
Update 6, ~10:30am 05/06 EST:
If you have been experiencing an error contacting the server, please try logging in both via the plugin and the website - you should now gain online access. If you still see an error, please open a support ticket or email support@lastpass.com, if you haven't already done so.
Currently we're not allowing users to change master passwords until our databases are completely caught up and we have resolved outstanding issues. We will update our users via the blog when it is possible to do so.
Thank you for your continued patience.
Update 5, ~1:30am 05/06 EST:
If you have been experiencing an error contacting the server, please try logging in both via the plugin and the website - you should now gain online access. If you still see an error, please open a support ticket or email support@lastpass.com, if you haven't already done so.
Currently we're not allowing users to change master passwords until our databases are completely caught up and we have resolved outstanding issues. We will update our users via the blog when it is possible to do so.
Thank you for your continued patience.
Update 5, ~1:30am 05/06 EST:
We've added the option for you to say that you know your master password is strong and to avoid password change, we apologize for not having that available when we announced.
We've identified an issue with roughly .5% of users that impacted their master password change, and will be contacting you tomorrow rolling you back to before the change.
Joe's interview with PCWorld covers more details on what happened, what our thought process has been, and what this means for our users: http://www.pcworld.com/article/227268/exclusive_lastpass_ceo_explains_possible_hack.html.
We continue to work as quickly as possible to address user support.
Update 3, ~4:30pm EST:
Logging in offline should be working everywhere if you have logged in using that client before, if you're having problems with this please attempt to login via the website: https://lastpass.com/?ac=1 that should now take you through an email process to enable your current IP.
If you're having problems getting your data with pocket, make sure you're selecting to login to the local file, not logging in at LastPass.com.
If you changed your password and are now having problems we'll help with that too, please email us if that's the case and include your LastPass email address.
For those who haven't been prompted, and have continued to use LastPass without issue -- we've judged the risk to be low if you're using the same IP -- we're only raising the issue once that changes.
Finally if you have issues with password changes please email us at support@lastpass.com, we can revert you, or we can pull data from backups, but please try LastPass Icon -> Clear local cache first.
Update 2, 2:15pm EST:
Record traffic, plus a rush of people to make password changes is more than we can currently handle.
We're switching tactics -- if you've made the password change already we'll handle you normally.
If you haven't the vast majority of you will be logged in using 'offline' mode so you can still use LastPass like normal and get back to your day, only syncing of new password should suffer (and you'll see the bar).
As load lowers we'll increase the percentage of people being sent through email validation / password changing.
For people experience problems please email us at support@lastpass.com -- we have seen a few reports of bogus data post change, we think this is due to you downloading a stale copy and if you go to LastPass Icon -> Clear Local Cache and try again it should work.
You can access your data via LastPass in offline mode or by downloading LastPass Pocket : https://lastpass.com/misc_download.php (choose your OS).
---
We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.
We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.
In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.
If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.
To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.
We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.
We're also taking this as an opportunity to roll out something we've been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We'll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we'll continue to find ways to reduce how large a target we are.
For those of you who are curious: we don't have very much data indicating what potentially happened and what attack vector could have been used and are continuing to investigate it. We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on.
We don't have a lot that indicates an issue occurred but it's prudent to assume where there's smoke there could be fire. We're rebuilding the boxes in question and have shut down and moved services from them in the meantime. The source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself.
Again, we apologize for the inconvenience caused and will continue to take every precaution in protecting user data.
The LastPass Team.
Update 1:
We're overloaded handling support and the sheer load of password changes is slowing us down. We've implemented a way for you to verify your email and then not be immediately forced to change your password for that IP, access from any other IP would bring you back to email verification. You can now wait a few days if you know you'll be on the same IP without loss of security, and due to this overloading we think that's prudent to wait.
We're asking if you're not being asked to change your password then hold off -- we're protecting everyone.
Quick question; lastpass seems to be unusable until I change my master password, but I can't login to gmail without lastpass giving me my gmail password. So how do I reset my lastpass master password if I can't login to my email?
ReplyDelete@Yansky Sorry about that -- you have a few choices:
ReplyDelete1) Login in 'offline mode' then reconnect your cable/wireless connection and go to gmail... This is the preferred method.
2) Download Pocket, and have it find your local offline copy from the drop down of files and login there.
We realize that's a big inconvenience we're planning on updating the extensions to avoid this logout tomorrow morning.
This is very disturbing. Whilst it may well be overkill and paranoia, the fact that attempts and anomalies are being logged doesn't make one confident in storing their data with LP :(
ReplyDeleteLP have continually dismissed independent auditing. I ask now...isn't it time you gave in and let a 3rd party audit you so you can find these things such as "server open to UDP more than it needed to be"??
The LAST password you ever had to remember huh? Nice... now I have to train all my family members to learn yet another password *cry*
ReplyDeleteNot your fault, but not very convenient!
If one is using 2 factor auth, will that change anything? In other words, does 2 factor auth (grid method) provide an additional meaningful level of protection from something like this?
ReplyDelete@Anonymous This isn't personally identifiable data being logged it's critical to detection of issues, and in most cases more basic like traffic to and from each machine.
ReplyDeleteThat said a 3rd party audit is certainly prudent and something we'll commit to, we've worked with a few good firms in the past but would recommendations if there are good firms for this kind of application.
@Omar Shahine - Yubikey would protect you quite well, but with Grid we have the coordinates and it's possible that the grid coordinates could have been accessed -- we just don't know so if you regenerated/reprinted your grid coordinates that would be better.
ReplyDeleteWhen I try to reset my master password it says that my account settings restrict login from my mobile device. I'm using my PC and I still get this message, what's going on?
ReplyDeleteThank you for your post. While I've been using a pass phrase and I have a yubikey, I am extremely grateful that you are paying attention.
ReplyDeleteSeriously dude, this is bad stuff. I'm locked out of ALL my different accounts, and it isn't accepting my lastpass master passphrase. I guess I learned my lesson here. There is no way in hell that I'm storing my important logins/passwords in the cloud again.
ReplyDelete@Anonymous "locked out" -- We can revert your password change if you did one, email support@lastpass.com with your account email - a surprising number of people immediately forget their new password, we're working on this. If you haven't changed your password yet see my first comment on this thread.
ReplyDeleteOk Joe I will do that. I just found your account recovery page here: http://helpdesk.lastpass.com/account-recovery/
ReplyDeleteIf anyone else needs it.
I'm confused. When you be forcing us to change the password? I just re-logged in (after I saw this post), and wasn't prompted for anything.
ReplyDeleteUsing LP extension on Chrome 11.0.696.60.
I am also getting the "account settings restrict login from this mobile device" error. Very frustrating...
ReplyDelete@SEV We're only forcing the issue right now you when we see you come from an IP you haven't used in the past few weeks (if you disable logging logins this might mean immediately).
ReplyDelete@Anonymous "restricted this mobile device" -- we're on it please give us some time and I'll post back here.
ReplyDeleteIs there any solution to the "restrict login from this mobile device" error?
ReplyDeleteI for one am glad y,all are on top of things round there. thanks
ReplyDeleteYes, I am "locked out." Not because I forgot my own password. Not because I compromised my password. But because I am forced to change my password yet I cannot do so because the Lastpass Password change system detects my browser as a mobile device and hence will not let me change my password. Was this mandatory panic thoroughly thought about before being initiated? A lot of us are paying customers too. It will take a lot for Lastpass to restore trust in the system, because I am out as soon as this fiasco is over.
ReplyDeleteKeep up the good work and don't mind our "carping"
ReplyDeleteA complaining Geek is a Happy Geek.
I thought the whole point of LastPass was that even if hackers were able to obtain bits of information regarding your account, none of it would be even legible. The passwords are encrypted, the information is encrypted, and LastPass even boasts that they don't keep our password stored on their server in any identifiable way. So why force a mandatory change of password when the system itself should protect us against attack?
ReplyDeleteThanks for this update. Your security measures sound robust.
ReplyDeleteThose of you trying to punish LastPass for communicating with its members may want to rethink that strategy for getting what you want from companies...
In the future, it would be nice if you found a new method for keeping our security safe. My email password was a randomly generated password by lastpass, so I had a hard time getting my lastpass account back. I will keep my passwords backed up now, you guys might want to recommend that people do this... or make a utility that does it for us.
ReplyDeleteThanks,
Alex
A lot of us are effectively shut out from our own information for the time being. It's not mere inconvenience if there is urgent matter at hand for a customer.
ReplyDeleteok, so I sent the email verification and it asked me to then reset my master password. when i try to i just get a popup saying invalid command! also when i try to simply logon to my account i just get bounced back to the logon page without any error or warning. have you guys taken the service down or something? this doesn't look good!!
ReplyDelete@Anonymous "Locked Out" -- I'm really sorry -- we really want everyone to know that you __ALWAYS__ have access to your data if you can get logged in offline, or use Pocket against your offline copy that you download every time you login.
ReplyDeleteThat said I think I've resolved the issue if you'd like to try again to make the change.
What we've done here is all about trust. Seeing something like this is easy to ignore and pretend it's just a fluke and move on with your life. Most companies wouldn't notice at all...
We thought as much as we could about this given the time constraints of wanting to report it and do as much as we could to protect users as possible. We definitely fell toward the paranoid / protect users side.
I got an error about not being able to log in on devices that don't support grid auth when attempting to change my master password. This happened repeatedly on two different computers (both Linux), when I tried an XP one it worked fine.
ReplyDeleteAll I get is "unknown error" when trying to reset my password... this is not cool
ReplyDeleteBastards! How the hell can I login to my email without the "one password"? The disconnect the internet hack doesn't work on any of my extensions and pocket won't let me login because of an IP change. In case you haven't figured out, some of us have dynamic IPs that change every now and then.
ReplyDeleteI have a gmail account with the password stored on LP. LP is telling me I need to access my email in order to gain access to LP, but I can't read my email without LP!!! I read above some advice to login in offline mode. How do I do that? Please help, I'm completely locked out at this point and very unhappy with LP!!
ReplyDeleteI after changing my password I keep getting "Unknown Message!" Really? Come on LP.
ReplyDeleteStill getting the mobile device error.
ReplyDeleteAfter doing the password reset, this is what I see... I can't access anything, and nothing is working... there goes lastpass credibility...
ReplyDeletewww.timeused.com/lastpass.png
it's working now
ReplyDeleteI can't login and change my password once I've verified my email, all I get is 'unknown message' as an error.
ReplyDelete@smug anon 12:19AM, how's that high horse and strawman working out for you?
ReplyDeleteI'm also still getting the "Your account settings have restricted you from logging in from this mobile device." error when trying to change my password from my PC browser. I've submitted a support ticket via my (premium) account address: lastpass *at* ryan-goldstein.com
ReplyDeleteI'm getting "Unknown message!" error while trying to change my password. I'm guessing this has something to do with the password reminder. This is really unacceptable guys! Maybe I should just go back to keepass. It is not as convenient but at least I have no one but myself to blame if something like this happens.
ReplyDeleteTo the people having problems with logging in, are you trying to login through the website, or through a browser addon?
ReplyDeleteI had problems with the website, it wouldn't accept my master passphrase at all, even though I know it was right. However, I can login to lastpass through the firefox extension and access my database.
What is fixed?
ReplyDeleteYour account settings have restricted you from logging in from this mobile device from IE and Mozilla.
you need to fix this unknown error problem asap
ReplyDelete@Anonymous "I thought the whole point of LastPass was that even if hackers were able to obtain bits of information regarding your account, none of it would be even legible"
ReplyDeleteI'll try and explain this to the best of my knowledge (hopefully this is accurate).
Also this post goes into some detail of how passwords are stored securely
http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html
The issue at hand here is that *if* the database of salted password hashes were stolen, along with the server salt, one could simply keep trying an infinite number of password combinations for a given email address. Once the attempt was successful, then they could log into Lastpass using your username and password. Recall that they got your password by guessing till it worked. This is known as a "brute force attack". This is why Laspass is detecting an unkown IP accessing your account and requiring you to change your password.
So the best thing you can do is change your password, that way if they guessed it, then they cannot gain access to your account.
However, if the salted passwords, + salt + encrypted data were stolen, one would simply have an offline copy of the data then that would be far worse as said person has the ability to attack the database offline and if they decrypt the data then they have all your data. I pray that this did not happen.
Help, I'm getting an "Unknown message" when I actually reset my password on your site. Tried two different new passwords, same message. What can I do about this?
ReplyDeleteI am still locked out of all my machines (2 Windows, 1 MacOS) because of the "account settings restrict login from my mobile device" NONE OF THESE ARE MOBILE DEVICES. When will this bug be fixed?!?
ReplyDeleteGot rid of "mobile device" and now get "Unknown message!"
ReplyDeleteIf you're going to f*ck with people's passwords, *test it first*.
I'm in Renable Account Hell. It tells me it's sending to my secondary email, but I receive nothing. I managed to use the recovery OTP to get in, but it then puts me back to the login page before I can change my password. I've emailed support and opened a ticket, but with the stuff going on, when will I be able to get my account re-enabled? It's not like I'm a security professional that needs their password or anything..
ReplyDeleteFIREFOX works. When I use Chrome browser I get the "Unknown message" error.
ReplyDeleteOh, I found the export utility, very easy to use, and if there are any more security issues, I can always refer the spreadsheet!
ReplyDeleteI'm going to recommend using the utility to everyone reading this blog: use it.
Thanks again,
Alex
Where is the utility?
ReplyDeleteMozilla working
ReplyDeleteDid you guys test this before rolling it out? I got the email and now I am getting the "mobile device" error. An eye opener.
ReplyDeleteOk so I got pwned by this message: "Your account settings have restricted you from logging in from this mobile device." and had to delete and recreate my account. Here is how I did it.
ReplyDelete- Download Lastpass pocket -> https://lastpass.com/pocket.exe
- Run pocket.exe and login using your existing username and password.
- Export your stuff to a csv file
- Delete your lastpass account -> http://helpdesk.lastpass.com/account-recovery/ (4th option)
- Recreate the lastpass account by signing in at lastpass.com
- Using your lastpass browser extension -> Tools -> Import from -> Other -> Select "CSV" from drop down
-> Copy and paste the contents of the lastpass export csv file into the window and import everything.
-> Done. Pain in the ass.
Okay, so on my home machine, whose ip I've been using for the 48 hours I've been a lastpass user, I went to preferences and changed my master password.
ReplyDeleteIt logged me out, but now when I log in it says:
An error has been encountered while loading your sites. Please relogin.
So huh!?
Please advise.
Also, I am still confused why this is a blog post and not an email.
Oh, also, that is using lastpass with firefox on windows 7
ReplyDeleteYou guys didn't think this issue important enough to send out an email? Seriously?
ReplyDelete@jerry 1.25+MM users would take too long to email unfortunately. Please email support@lastpass.com and include your LastPass email address.
ReplyDeleteEveryone seems to be getting very angry with you guys, but I want to say: Excellent response. Thank you for doing the right thing. Our passwords are not minor things, and with the way you have handled the last two lastpass issues I think you are more than fit for the job of providing this service securely. Sony should take some notes. Keep up the great work guys, and thanks again for being so professional.
ReplyDeleteI agree, Anon! Kudos, guys.
ReplyDeleteExcellent response? Not really. If LastPass really had 1.25++ MM users who were affected by this, then this is not a company you want to trust with your passwords. Besides, "taking too long to email" is a pathetic excuse - it would take as long as sending the above blog post to allusers@lastpass.com
ReplyDeleteHey dudes thanks letting us know, would that affect the premium users you said?
ReplyDelete"You guys didn't think this issue important enough to send out an email? Seriously?"
ReplyDeleteI think forcing people to change their passwords the next time they log in is on par with an e-mail. For some, they'll probably find out faster than checking their e-mail.
I tried posting this a few mins ago -
ReplyDeleteYour initial blog post suggests that very little data was lost -
"We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs."
Was enough lost to compromise everyone? if it was not enough for a an encrypted blob, you are talking less that 10kb ? Please clarify
Thanks for the prompt response guys!
ReplyDeleteSeriously- spending $10k on an professional auditors opinion will be the best money you've ever spent. Just benchmark all of your crap and apply the standard utils- ossec, log monitoring, web application firewall, etc.- why in the hell would your asterisk server have any visibility to your db??!!
ReplyDeleteDo I need to change the passwords that in my vault?
ReplyDeleteOuch! Not good!
ReplyDeletePlease don't take this as a sales pitch, but I'm a sales engineer for Riverbed Technology and we have a product called Cascade Shark that does packet recording and analysis. This device would have allowed you to go back in time to when the traffic anomaly happened, find and replay the session that generated this spike and then view exactly what was transferred on the wire.
It could have prevented you from going into paranoid mode if you could verify that no user data was transferred.
Thanks to Owais above. It worked for me by exporting from firefox, but I just imported a csv file to keepass instead, as lastpass would not work at all, and I'm not sticking around to bang my head on the wall when it doesn't appear to accept my passwords at all. Thanks for the help.
ReplyDeleteWhat's the status on the "mobile device" bug?
ReplyDelete"We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses"
ReplyDeleteSo email addresses were potentially compromised.
"We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs."
Not many, but some.
So it is then entirely possible, that the attacker have some user's encrypted data blobs.
Furthermore If those users have a brute-forcable master password, it is therefore possible that they have access to some of the few encrypted data blobs that were potentially downloaded. This means the attacker WOULD have access to the email account of this user. Thus your statement that "they wouldn't have access to your email account" seems incorrect and email verification would not help these users.
That's twice now, there is no way I'm trusting my passwords to LP anymore. Bye guys.
ReplyDeleteThe only really scary thing here is that your Asterisk server is in the same network as the database you store all our passwords on.
ReplyDeleteThat's a gigantic security failure.
"We're only forcing the issue right now you when we see you come from an IP you haven't used in the past few weeks (if you disable logging logins this might mean immediately)."
ReplyDeleteI haven't been asked to change my master password yet. If I manually change it now will I be asked to change it again later?
better to be safe than sorry.
ReplyDeletethank you.
"What's the status on the "mobile device" bug?" I posted about it earlier and it's all fixed for me now
ReplyDeleteI received my notification..entered my email..now Im locked out of my account
ReplyDeleteHow do we change passwords if we are locked out of our accounts?
glad to see your on top of it..but Im not sure this was handled to well.
With all due respect, you could simply allow people to keep their access to LastPass service while they await the confirmation email until it delivers.
ReplyDeletethere's no hassle why would you want to cut of the air supply to LP just because it made a cough.
to stop the attacker simply update your service to detect any method of trying to get "login data" from your database. to simply lockout the IP and notify you..
@Dinoraptor101 "there's no hassle why would you want to cut of the air supply to LP just because it made a cough."
ReplyDeleteAFAICT nobody's air supply is being cut off. 2 Methods for accessing your passwords in offline mode have been posted.
So, I'm just curious, if you haven't identified any specific vulnerability, what would prevent the "attacker" (if any) to just get a new batch of the data with all the updated passwords changes users are doing.
ReplyDeleteSounds to me that if you haven't "fixed" anything yet, then the "attacker" can still do the same "thing", so a password change wouldn't do any good?
So many of us appreciate your diligence; don't get discouraged by criticism. I got the reset message, followed the instructions and had no problem. I happened to be on the road so I got caught in the reenable routine.
ReplyDeleteYou did the right thing. I thought some of these cases through a long time ago. My email password is not stored in LP. I have a Yubi key. Since the Yubi key means no access except from a trusted machine even with my master password (unless you can get to my email to disable the Yubi key), and I don't let anyone who can get to my LP get to my email, I think I've closed a potential vulnerability. Get a Yubi key and sleep better.
LP, just wanted to say that I really appreciate what you are doing.
ReplyDeleteI understand it was really tempting to just ignore this issue and to not respond to it as you did.
Keep up the good work!
- What prevents the potential attackers from simply repeating their attack since no specific vulnerability has been identified or fixed?
ReplyDelete- When will the forced password change affect users who's IP address hasn't changed, and will they be forced to change the password at that time even if they manually change it now?
- Why is it possible that your Asterisk phone server can be used as an attack vector?
- You seem to make the assumption that email accounts can be used to verify account ownership despite the possibility that these email accounts may have been compromised as a result of this issue.
- Why do you allow the creation of a master password that can be brute forced?
- What caused the "mobile device" and now get "unknown message" errors and when will this be fixed?
This is complete BS. There is a mis-spelling on the Re-enable page which makes me very suspiscious. There is nothing in the news section on the Lastpass home page that even mentions this issue. How do I know that Lastpass has not been hacked? I don't, and so I'm not changing anything. I'm a paying customer and I should've known Lastpass was just too good to be true. I'm out of here. Sorry guys, but when it comes to trusting someone with security one hiccup like this is a deal breaker.
ReplyDeleteI'm glad that under "external stress" the last pass system is a fails to "off" rather then to "on". With PSN and RSA having there user data sucked out like a plate of spaghetti your actions are on the money. inconvenient Oh you bet, but it's better then doing nothing.
ReplyDeleteAnd really people, DON'T catch 22 yourselves with saving your master e-mail password in lastpass! It's not the fault of lastpass, but your fault for doing that.
I thought only blobs were transferred to Lastpass? If that's true, what's the fuss? Here's what Lastpass says about security:
ReplyDelete"LastPass uses SSL exclusively for data transfer even though the vast majority of data you're sending is already encrypted with 256-bit AES and unusable to both LastPass and any party listening in to the network traffic -- the amount of data is trivial so the extra encryption doesn't hurt. Our policy of never receiving private data that you haven't already locked down with your LastPass master password (which we never receive and will never ask for) radically reduces attack vectors. We use firewalls and best practices to protect the servers and service, but our best line of defense is simply not having access to data even if someone got in. If LastPass can't access it, hackers can't either."
According to the above we should have nothing to worry about because even if someone was listening to the network everything is encrypted right? What's going on???
@Anonymous (why don't you post your name?): Stop spamming the blog. If you are unhappy, cancel your account and get on with your life.
ReplyDeleteI think LP reacted perfectly. The spelling error is not great as it raises doubt. But honestly I don't case as I can see in the browser address that the site is https with a LP certificate.
The new password setting worked fine, actually this should be an option which users should be able to set (Ask me to reset the password every x months). Many apps have this.
So, stop bitching and give LP kudos how they protect their databases. Sony can learn a lot from LP ;).
@Dicks I just entered my email address into Lastpass's form. They sent me an email, and want me to click a link in the email to get to the page to change my master password. Um...this is malware 101. Never click links in emails. Anyway...I'm not spamming the blog. I'm a paying customer and I will speak my mind as much as needed.
ReplyDeleteFor all of you who are affected by the "Your account settings have restricted you from logging in from this mobile device." problem:
ReplyDeleteI was able to login with one of my One-Time-Passwords I had generated when I set up the account. I was then asked again to change my master password, but this time I was asked for grid authentication, and after passing this the change succeeded.
Now I can log in again using my new masster password.
Yours Sincerely
@Dicks, you realize there are multiple people posting as "Anonymous", right?
ReplyDeleteAlso, at least one respected Infosec professional would bet that lastpass is "totally owned", were he a betting man: https://twitter.com/#!/jonoberheide/status/65999907571503104
COuld you like to this notice from the page that forces people to change their passwords please. I was majorly confused this morning when I was asked to change my password. It reeks of phishing too.
ReplyDeleteAre people actually this stupid to put their primary email account under a random generated password??
ReplyDeleteVery happy about your response to the issue, LP guys. This kind of thing will happen at some point to any company that deals with encrypted data because it's interesting to criminals, so that's not the problem at all (note to users freaking out that someone would try to fish for some data). It's the response of the company that matters. This was quick and hopefully comprehensive.
ReplyDeleteClearly there are some points LP should improve on to make sure whatever was done by these intruders is not repeated by the next ones.
I am unable to login at all - An error has been encountered while loading your sites. Please relogin."
ReplyDeleteWhat now?
I'm an unable to login after chaning the master password:
ReplyDeleteAn error occurred while retrieving your accounts. The most likely error is that you have cookies disabled. Please check your settings and reload the page DEBUG: https://lastpass.com/getaccts.php returned not logged in, you can try going there directly.
What should I do to get access to my passwords?
I'm still getting the error message every time I start my browser, even after changing my master password. It is letting me log in, but having to do so every single time will quickly become a nuisance! I do hope this gets fixed soon.
ReplyDeleteSo why did you guys not force people to use master passwords that were not brute-forceable? That seems like an easy thing to do. And it would prevent this attack vector altogether.
ReplyDeleteNow, I did use a master password that can't be brute-forced. So why am I forced to change my password. Why not give me an option to acknowledge this possible leak and not change my master password? If you want to confirm via email, that's fine with me.
Unable to login. Cannot access account even with passphrase.
ReplyDeleteTrying to change my MasterPassword on my PC:
ReplyDeleteI get this:
"Your account settings have been restricted you from logging in from mobile devices that do not support YubiKey authentication"
What to do next ??
In my opinion, LastPass handled this incident well. It is important to communicate openly with your customers - would you rather like it the way Sony handled their incident? I realize that this has been (and still may be) an inconvenience to a lot of customers, but I'd rather be "locked out" for a couple of hours than have my every password available to some malicious third party.
ReplyDeleteStill, I agree that you might want to rethink your network structure and open yourself to external auditing. But it seems like you've realized this as well, as I would expect of a clever company. Thanks for your great service and your paranoia - you can never be too careful with sensitive data, especially when its sensitivity is your business ;-)
Your paying customer, Chris
P.S.: To all those flaming and moaning about your loss of trust in LP: Consider yourself lucky that LP communicates this well with their customers. In a way, they give you an out - "Hey guys, look, we're sorry but there has been a minor abnormality, it's probably nothing, but still we realize that the safety of your passwords is incredible important to you. So here we are - we're going to tell you everything that is going on, so you may stop using our service as soon as you want if you feel concerned for the safety of your data." Consider that. I'm sure LP will be sad to see you go, but it is up to you.
Couldn't you have done the "You have 3 days to change your password" approach instead of this ridiculous knee jerk response?
ReplyDeleteWe understand our passwords are important. That's why we're using lastpass instead of one password for all our accounts. So you don't have to slap us across the face to make sure we're aware.
You were so concerned about the security that you forgot about the concerns of the people using this system.
If you get this message: An error occurred while retrieving your accounts.
ReplyDeleteClose all of your browsers, clear cookies and log in again. It worked for me.
HI guys. Cannot login at all. Same message that i read on this page : "An error occurred while loading your sites. Please relogin."
ReplyDeleteDon't know what to do..
Ho Hum - the necessary evils of internet security - thanks for the heads up and hopefully you have headed off having a 'Sony moment' ;)
ReplyDeleteI think i'll go back to remembering my passwords myself. This stank of a phishing attack on 1st look.
ReplyDeleteI notice that some people have a problem in that they couldn't reset their lastpass password because their email password was itself stored with lastpass.
ReplyDeleteStoring the password for the email account that you use to access lastpass seemed to me from the very beginning to be a stupid idea, for this sort of reason. For much longer than lastpass has existed, an email account has been a sort of key to all other accounts, because it is the normal way to reset passwords. So the people that did this deserved to get shafted through their own idiocy. They cannot complain about lastpass.
Personally I find it annoying that lastpass does not have the feature to not store a specific password for a specific username/site (it is able to not store a site, but note a specific user/site combination.) For this reason, lastpass continuously nags me in offering to store my email password, which I don't want it to do. (I am able to remember a couple of passwords after all!)
The problem that lastpass solves for me is all the other countless accounts for which I would otherwise use the same password for, not my email account which I use every day. In my opinion lastpass should refuse to store the password for the email that the lastpass account was set up with.
Changing my password is not really a big deal for me, and I admire your integrity
Lots of drama going on. I was unable to login. I was not taken to any password reset page or anything, just an error message. So I reset my password. Now read this very carefully, After changing my password, I am now able to login with my OLD password.
ReplyDeleteSo tell me, will you compensate me if my credit card and bank password gets stolen and I lose money? Guess I should have never trusted a 3rd party with my secrets. Better to store passwords locally using keypass portable and carry it on pen drive.
I'm trying to re-enable my account. I insert my email address in the form and, after I receive the email, I click the link in it.
ReplyDeleteThe problem is, when I click the link, the server responds my link is no more valid. It's the link you sent me 10 sec before, why it isn't valid? What I do now?
By the way, I used both chrome and firefox and I cleaned cache and cookies. I even tried to type the link in the browser bar.
@Gourav
ReplyDeleteEnjoy your hell of a time trying to regain access to everything when you lose the pen drive or it finally dies. Flash memory doesn't last forever.
Thank you for taking our security seriously LastPass Team. God knows Sony didn't/doesn't.
ReplyDeleteStumbled my way here from Howtogeek's Twitter feed. I never received an email or a prompt to change my password but I'll probably do it anyway just for the sake of keeping it fresh since I haven't done it in so long.
Never hurts to keep your password fresh and strong to keep up with the times.
Hi I've been a big fan and have become reliant on lp since thoroughly reading the website and the tech in use, but I'd be more likely to have my fears allayed if the previously posted comment from someone was answered by Siegrist 'I thought the whole point of LastPass was that even if hackers were able to obtain bits of information regarding your account, none of it would be even legible. The passwords are encrypted, the information is encrypted, and LastPass even boasts that they don't keep our password stored on their server in any identifiable way. So why force a mandatory change of password when the system itself should protect us against attack?' Is it not possible to convey how it works without being a mathematician or computer scientist? Has the marketing been a little economical with the truth?
ReplyDeleteI think the take home message for a lot of folks here is that there are in fact two passwords that a person should always remember: master password and email.
ReplyDeleteMake both strong passes, but remember both, as you never know when you may hit a wall with whatever cloud service/program you use to manage your accounts.
Hi folks
ReplyDeleteCould it be yust a false pretenses to get all the passwords. I trusted Lastpass that they store only my encrypted data, but they have the chance to store my pwd on every login (when the would put a logger into the plugin or the can change the code of the onlineplatform so that the key could be stored there or they could store our key when we change our pwd (and now everybody has to do this). I'm concerning about my data. I think it is time that anybody (3rd) reviews the code of the lastpassengine. I'm now starting to pull out worthy pwds(palpay, bank, creditcard,...) out of lastpass and will store it anywhere else. But on the otherhand it is very fine when LP inform the people when they think that there could be a danger, and force it to do something angainst this danger. But in this case i am in a conflict whom i should trust ma bad feelings or LP
best regards
When I try to change my lastpass master password I just get a "Sorry a problem occured" Please try again.
ReplyDeleteWhat's the issue with that?
arrrgghhh....
ReplyDeleteOk maybe something happend - Action now - That great !!
But it would be NICE to get a Status reponse on the current issue "Failure to change the MasterPassword"
Going home now - thinking of other ways to secure my passwords - pen and paper maybe.
Autofill is currently not working (after changing the master password), anyone else experiencing this?
ReplyDeleteYou guys are completely nuts. You are cutting me off ALL of my passwords. Including my email. What the heck were you thinking? Who the heck gives you the right to do this.
ReplyDeletemy mail address contains a + symbol, but it's ignored by the input field in the password change form. so i can't change my password! please help
ReplyDeleteCan someone from lastpass reply, please? I need to access my data and nobody reply to support email nor comment here.
ReplyDeleteproblem, i cannot login to my email, i know not the password, this is in my lastpass account.
ReplyDeleteand now ?
How come I never received a notification regarding this? From what I read, the notification was received in your browser when you want to log into LP.. I didn't get any of this at all. Should I be concerned?
ReplyDeleteFunny thing is, I was expecting something like this to happen and changed it regardless to a higher character password!
ReplyDeleteMost people here seem to be either glad or very annoyed by what's happened. There are some things that annoy me and some that I'm glad of.
ReplyDeleteThings that I'm glad of:
- Lastpass take note and account for what is happening on their network
- Lastpass seem to have the right idea on the convenience vs. security trade-off.
- Changing my master password was easy and worked first time.
- That lastpass will submit to a 3rd party audit.
Things that I'm annoyed about:
- The first I heard was when I tried to log in and had to spend work-time sorting it out, not by email.
- I had no real way of knowing whether lastpass was asking me to reset my password or someone who'd hacked their webserver.
- That user data isn't kept away from other servers that could be insecure meaning that lastpass can't confidently rule out user data having been accessed.
- That lastpass hadn't previously submitted to a 3rd party audit that may have flagged up these issues.
Thanks LastPass. Your swift action makes me even more sure that you're good to trust with my password details.
ReplyDeleteI think this was appropriate action, and I easily changed my password without any issues.
To the complainers, if you had a good password, you don't have anything to worry about. As to not being able to access your email:
1 - ensure you have LastPass data backed up. I back up mine, encrypt it and then stick it on Dropbox.
2 - shouldn't you know the password of your email as a fail safe? I'm not suggesting using a poor password, but instead of remembering one solid password, just remember 2/3. If you have your email, you can reset the rest of the accounts.
If you disconnect the computer from the network, you can login to the local copy of LastPass. You then copy the email password in the clipboard and go back online to access it once LastPass asks you to reset the master password.
ReplyDeleteWhat's going on? I'm trying to login through the web interface but getting nothing. The page just reloads with login form empty. If I enter wrong password I get "Invalid password!" so password is not the problem. What do I do?
ReplyDeleteGood security, nice service, thank you
ReplyDelete>he uses dropbox
ReplyDelete>laughinggirls.png
>implying dropbox doesn't have security issues
>implying you just didn't go full retard
@Lastpass: please tell us why the decryption/re-encryption of our passwords is done through your website - If I were a dedicated attacker, I'd do exactly what you're doing right now: have the customers deliver their old passwords on a silver plate, then grab the stored passwords while they are unencrypted.
ReplyDeleteHow ist THAT good security?
I've re-logged in several times now, and I have still not been asked to change my master password. I know I can change it myself, but this is obviously a sign that not everyone will be aware of this. If I hadn't seen a link to this blog post(!) on reddit, I would have NO IDEA at all.
ReplyDeleteI also don't understand why you didn't email about this. Surely you could send the emails in less than a few days or so...?
Yes this is inconvenient, but I congratulate LastPass on being open and honest enough to deal with the problem in a potentially paranoid fashion rather than furtively work behind the scenes and doom themselves to failure. If anything, this makes me trust LastPass with my data more than before.
ReplyDeleteKeep up the good work, guys.
I have requested via email the ability to reset my password, but I dont get an email. I am locked out of all my accounts. LastPass is a JOKE!
ReplyDeleteI logged out in the hopes I would be able to log in again and get a new password prompt. Instead I'm just locked out. Gives me an error and redirects me back to a blank login screen. This is poor.
ReplyDeletePerhaps now Joe will take my many requests over the last two years, as well as those from other users, to make a way for lastpass to operate completely offline without need for storing data anywhere in the cloud.
ReplyDeleteThe constant replies of "it is not conducive to our business model" are getting tiresome. This is why I refuse to use lastpass. Until I can decide when/if I want to store my data on your servers, lastpass will not be installed or recommended by me to anyone.
So you're rolling out PBKDF2-SHA256 with 100.000 iterations. Great.
ReplyDeleteYou however did not mention how the data/passphrases which may have been leaked were currently hashed. Could you elaborate on that?
What is the solution for the "An error has been encountered while loading your sites" ?
ReplyDeleteCan someone publish this information ???
This is why I signed up with Lastpass. NOTHING is completely secury, but unlike a certain huge corporation (*ahem*Sony*ahem) Lastpass notified the users immediately, locked the accounts, and took measures to be sure everyone's data was safe. Way to go and this only makes me trust my data with Lastpass even more!
ReplyDeletethank you very much for the information, i'd rather have several infos each month like this than having all my passwords stolen.
ReplyDeletei think it's great of you to constantly monitor the activities.
@Anonymous 2 up, Do you really consider this a notification? Even I have an account and I have received no email about this...Like others, I stumbled across it through a link on a completely unrelated site....Yes, great notification.
ReplyDeleteI'm a LastPass premium user (several times over, for different people I know), and was considering something like this for my work (small international IT team with an insane/absent password scheme).
ReplyDeleteI am extremely disappointed that these systems were even associated. The LastPass production servers should be completely isolated from ANY other system, except via the few custom interfaces you've defined, and those should have an extreme level of auditing, in this regards. There should be no other service running on it, not even development services.
I hope this shock/scare forces you to look at your internal security, physical security, and similar, a LOT closer. For instance, can a single developer commit changes to the production source? Can a single developer access the live data with much ease?
Separate everything.
Additionally, continue investigating this to the best of your ability, and update us as to changes you've made. I've been saying this for a while, but I'd like an RSS feed tied to some sort of change management system, where I can see what changes have been pushed out each day, even if they are absolutely minor. I am interested in seeing what's happening/changing.
However, having said all of the above. I am happy with how you've handled this. While I'd rather have a few days to change my password, such is life. I just did it before, and had no troubles. I like your open-ness, honesty, and if you had of treated us anything like Sony, I'd have left you in a heart beat.
You've still got my personal business, but you won't have my works business, until you dramatically increase your own security, and I see significant change in that department.
Also, the Grid data isn't stored unencrypted... is it?
I think it's about time I got a YubiKey!
For the third time... can someone give a solution ?????? Nothing works !
ReplyDelete> OTP for recover gives : Sorry, the link you have requested has expired
> Login gives : An error has been encountered while loading your sites
What the hell should i do ????
It is indeed a bad news but people should saying bad words to LP team. They were prompt in informing about anomaly and the process to change password was smooth and easy.
ReplyDeleteJust look at Sonu play-station network. They were hacked, credit cards details were stolen and they informed after 1 week and still you have no clue what to do.
So please be patient and support this wonderful product.
A happy user since beginning.
@Dushy:
ReplyDelete> and the process to change password was smooth and easy.
Really? Look at all those people who cannot even login, let alone change password.
I agree with the others in appreciating the transparency on this. Rare these days because most companies want to put a spin on attacks. Nice job LP on the communication to customers. Because I use a secure password, I am also not concerned that someone could have accessed data on your server.
ReplyDeleteI will also share my experience that something isn't right with how LP deals with Chrome on Mac. When I saw this, I launched Firefox (Mac), went to the web site, and changed my master password. No problems at all...worked fine. Then I opened Chrome and logged into LP, but was told that I need to verify that I have access to my email address to reactivate my account. Strange, but ok, I did it. Then I had to reset my master password...again. I reset it back to my previous one, then reset it again to my new one.
All is well now.
Hey LP team...This is really troublesome, I regret using this tool. It gives me a headache. Please, HELP me to access my VAULT.
ReplyDeletei appreciate your transparency.
ReplyDeleteDidn't get a notification email. I found it from a tweet from a friend. I had noticed that, for some reason, Lastpass was logging me out of the extension (but it was working some of the time - someone else logged in as me, perhaps?)
ReplyDeleteI've now reset to new password, using the OTP feature... and now it won't log in with the new password. Very concerned.
Just like Anonymous at 04:31 AM I get the message "A problem occureed when changing your password. Please try again." every time I try and change the master password.
ReplyDeleteI have tried various different master passwords and I have verified that the current master password is correct. But I am still getting the same error message and I cannot change the master password on any of my computers.
I'm also getting the "An error has been encountered while loading your sites" message when I have "Save your password" enabled in IE which normally logs me in automatically when I start the browser. Now, I get the error message, and have to click on the LastPass button and then click Login (with the password already filled in automatically.) So not a show-stopper, just an inconvenience. I expect this is a temporary bug, but will contact support if it persists.
ReplyDeleteOkay - I was Anonymous from a few moments ago (7:01AM) - after getting locked out, waiting 15 minutes, my new password IS now working - I would guess that the servers are getting quite a work out at the moment.
ReplyDeleteSo, if after changing passwords nothing happens - don't panic - just wait.
Changed password, then I get invalid password after trying to login again. I know im using the correct password. Its the same as the old one with a little prefix. I guess you should add a note to the blog post as seems many users are having this problem.
ReplyDeletePlease publish the IP address of the network traffic anomaly. This is important.
ReplyDeleteThanks for getting this out to the public - going full disclosure even when you are not 100% sure there was a breach is way better than covering it up. Remembering a new, strong password is a bit annoying, but it's only one and I'll gladly do it for the security aspect. Keep up the good work!
ReplyDeleteNow lastpass is having security issues?
ReplyDeleteI'll be damned if a company I keep anything personal with isn't having some security breach nowadays.. /sigh
Why are people making support requests on a blog post? Go through the proper channels and I'm sure they'll be able to support you so much better.
ReplyDeleteWhy do I read about this on Techmeme, and not via email from you? How do you plan to alert users who don't frequent sites where your f-up is highlighted?
ReplyDeleteI am assuming that since I use a yubikey, that even if they broke my passphrase, that it wouldn't do them any good?
ReplyDeleteThank you for being so upfront about this! I am personally not worried about my passwords.
ReplyDeleteHowever, I didn't get the notification to change my password in Opera when logging in through the extension. I just got immediately logged out again (which is what made me wonder if something was wrong in the first place), and nothing more happened. Only when logging in through Chrome did I finally get the notification.
STOP yelling about them sending emails. First off, if they have over a million users, it would take a long time to send them out without getting spam filtered (and even then, at least some WOULD get spam filtered). Secondly, you're going to see the password change message BEFORE you email (since they logged everyone out), so who cares about an email? You already know.
ReplyDeleteParanoid people holding your encrypted blobs is a good thing. Don't let a few annoying anonymous cowards steer you away from the service.
Still using LS is much better then typing your password on keyboard cuz of keyloggers and they are much popular then hacking password managers like LP... and it's not efficient... hackers would still need to unencrypt all data which is simply impossible with given computer power and time
ReplyDeleteI am not receiving the security email from LastPass.
ReplyDeleteAnyone else having this issue?
Hey guys,
ReplyDeleteyour honesty and openness is very much appreciated. The way you handle this situation and the way you communicate this to your customers actually ensures my trust in your service - However, something like this should remain an isolated incident and raise your awareness that security measurements need constant auditing and development. Keep up the good work!
i cant login to lastpass at all. how am i supposed to change my master password
ReplyDeletehelp. quickly
Kudos to LastPass for full disclosure and taking appropriate action on this immediately. Yes, it is somewhat inconvenient, but when you weigh this small inconvenience against the added convenience LastPass gives you in not having to remember hundreds of usernames and passwords, this is a small price to pay. Thank you to all the LastPass folks for a fantastic product!
ReplyDeleteThis is a good way to handle this and gives me confidence in the service. I use a strong password and so the potential security threat is minimised, but for everyone complaining about security issues - companies that store potentially "important" data are *always* going to be a target for hacks.
ReplyDeleteWhat is important is not that hacks happen, but that their success is limited, and the target implements the proper procedures and response to notice, inform, and deal appropriately with the situation.
Way to go guys.
you can use support@lasspass.com address to report problems. I received response under 10 minutes.
ReplyDelete@Lastpass: Good job! Good luck!
I can't sign in to my vault, to change may password. I get the error...
ReplyDelete"An error has been encountered while loading your sites. Please relogin."
wtf LastPass? Not a happy bunny. >:(
Thanks for the responsible disclosure on this. However, I found out from a third-party (never got the email). Did you also send the password change request to Yubikey users as well?
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteWhile I appreciate the full disclosure, it seems more network traffic analysis and logging is in order.
ReplyDeleteMy Yubikey requirement has made me feel much better about this and I'd highly recommend one to anyone using LastPass.
Oh man this makes me angry. I read the blog post, confirmed the email, changed my master password... It seemed to let me in the first time after that, but then issued some stupid error about failing to load my sites. Now it just says "invalid password", which is ludicrous. If I can't access my shit I'm going to go nuts.
ReplyDelete@Anonymous (Oh man this makes me angry)
ReplyDeletetry to recover your password
https://lastpass.com/support.php?cmd=showfaq&id=375
@Anonymous (I can't sign in to my vault)
ReplyDeletetry to login using extension
http://sunbeltblog.blogspot.com/2011/05/use-lastpass-change-your-master.html
ReplyDeleteThe treat may be real but the handling of this process is almost stupid... When I tried to log in the 'forced' process started. I thought my account had been compromised and some attacker was trying to capture my data. No heads up or alerts - not good!!!
ReplyDeleteThere are a lot of people who seem to be disappointed that their information is save.
ReplyDeleteI changed my password but when I try to login I repeatedly get the error "An error has been encountered while loading your sites. Please login again"
ReplyDeleteThe annoyance is that the password changing doesn't actually work...
ReplyDeleteYour settings could not be updated. Please retry later. error
Getting error after reseting password during the re-encryption process. lame
ReplyDeleteI try to reset my password and I get:
ReplyDeleteSorry!
A problem occurred when changing your password. Please try again.
I have tried two different password changes with no success.
Pretty disgusted to find out about this from Twitter. I wasn't required to change my mast password, nor did I receive any communication from LastPass via email, or alert in the toolbar plugin. Changing password is obviously sensible, but rather like closing the gate after the horse has bolted as if the data has been acquired it'll be cracked using old passwords. My exceptionally long LastPass password may have annoyed me, but maybe it saved me too. I've yet to decide whether to continue as a customer. I've decided to continue as before and not store ANY financial passwords in here as your systems clearly aren't secure enough to handle them.
ReplyDeleteSo, no password change prompts for me this morning. However, even if my password hash was accessed, according to http://www.mandylionlabs.com/documents/BFTCalc.xls, my 17+ character complex password would take somewhere in the span of 300 million years to crack it. I do not use dictionary terms, but instead use lower/upper letters, numbers and special characters. It can be a pain to remember, but in times like these, I am glad it is as complex as it is. Also, as a premium user, I took advantage of the Yubikey which has given me even more security. So, if you have done the same, you should not be too worried. If not, consider upping your security posture a little more so things like this do not become as problematic. My two cents at least.
ReplyDeleteMy account also uses a + in the email address which is being filtered by the password reset page, even though it works everywhere else at lastpass.
ReplyDeleteSo, I cant reset my password and cannot enable the account :(
I've emailed support but dont know how long this will take to fix
Huge kudos to all you guys at Lastpass for this. It's obviously inconvenient for users, but knowing that you take security seriously, are transparent with users and actually mean what you say is worth a lot.
ReplyDeleteCompare and contrast to Dropbox...... I know which company I trust.
I appreciate your effort to inform users about whatever matter you faced with data leakage and took precaution without worrying about market image. :D .. Love to be your user
ReplyDeleteWhy why why did I also find out about this on twitter??? AND everytime I try to change my master password it gets to uploading encrypted data,I get an error,I understand it's a free service,but I do also pay for the mobile service,so a little help and communication would be nice.
ReplyDeletenot2fly(at)hotmail(dot)com
Ok I clicked through on the email from ie instead of Firefox portable and it worked.
ReplyDeleteHeads up to everyone portable app browsers seem to be a fail when you do the reset.
I'm confused (and a paying subscriber)..
ReplyDeleteFirstly I havent had ANY notification of this. OK I'm coming from a known IP Block.. but still I'd like to know!
Secondly.. Why is my password anywhere near lastpass.com servers.. its supposed to be just stored locally?
The '+' in email problem went away when I tried to log in again, I dont know if this was because I tried again, or because it'd been fixed. At least I can connect now :)
ReplyDeleteGood Day!
ReplyDeleteI get this:
>>
Sorry!
A problem occurred when changing your password. Please try again.
<<
We get the same issue. No copyright infringement intended:
>>
Anonymous said...
Just like Anonymous at 04:31 AM I get the message "A problem occureed when changing your password. Please try again." every time I try and change the master password.
I have tried various different master passwords and I have verified that the current master password is correct. But I am still getting the same error message and I cannot change the master password on any of my computers.
May 5, 2011 7:02 AM
<<
Well, LastPass is nice. They did a good job. But in this human world, everyone gets robbed, fooled, or hacked. :) Even Google or worse Sony wasn't able to be immune (not even highly secured military classified projects). It is just we live in this kind of sorry world. As a suggestion guys, do a backup. I use KeePass synced via Dropbox using the strongest encryption with a neat keyfile. Use 2-way verification in your Google accounts too. But I hope LastPass will eventually be able to resolve these issues. It was a nice extension to lose.
More Power,
Maj
While this is low enough on the list so I don't think anyone will read this far down. Anyway, My concern is not just confidently but integrity. Will LastPass be making a statement that they feel that they have control over their code? Do we know if the local plugins have been compromised?
ReplyDeletegood thing that I found a link to this blog post on a security forum, otherwise I wouldn't be aware of anything at all...
ReplyDeleteI had errors changing password through Chrome, it would error after encrypting it. I tried with Internet Explorer and this worked fine.
ReplyDeleteThanks for your honesty LP. Better safe than sorry.
BTW I am sure I paid for premium service via credit card. Are those details compromised also?
This is concerning: I wasn't forced to change my master password when I logged into my vault on the lastpass.com website. When I went to settings, it looked like I could then change my master password WITHOUT the extra authentication mentioned above (IP address or email address). Does this mean the forced password change and accompanying extra precautions only apply when using the LastPass plugin? If so, that is a serious oversight.
ReplyDeleteDave M: check your spam filters for the re-enable email. That's where mine ended up.
ReplyDeleteI logged in this morning, but didn't see any indication that I would be FORCED to change my PW. I wasn't prompted at all. ????
ReplyDeleteThe biggest WTF of this is that I just happened to stumble across a link to this post on another blog. Why not send out a note?
ReplyDeleteWhat lastpass should have done is open a window promting users to reset their password EVERYTIME they login to lastpass instead of disabling login alltogether!!
ReplyDelete@Anonymous
ReplyDelete"I'm confused (and a paying subscriber)..
Firstly I havent had ANY notification of this. OK I'm coming from a known IP Block.. but still I'd like to know!
Secondly.. Why is my password anywhere near lastpass.com servers.. its supposed to be just stored locally?"
I have also still not been either notified officially in anyway nor logged out (logging in with my old password works without any notifications as well).
On your second point, however... The entire point of LastPass existing is that the data is stored on the LP servers. If you don't want this, I'd suggest uninstalling and switching to a local solution such as KeePass. That would however mean that you need to carry the file around with you (or store it online manually).
Mail a million+ members takes too long?
ReplyDeleteAre you serious?
You claim to have security in mind, but as a resolution to solve a security issue with everyone's master password you let the system send an email to their email. How many people do you think have a randomly generated password for their email accounts stored in Lastpass?
Also, if my master account has been compromised.. how do I trust nobody has used it before you spotted the issue/attack? How can I trust ANY of my logons stored in your software to be secure still?!
I cannotchange my password.
ReplyDeletethe entire procedure ends up with generic "error, please try again later" error.
Its only thing it says after reencrypting and uploading my password files to your servers.
THAT IS A HUGE ISSUE.
Same issue when changing master password, it uploads encrypted data then fails also when using lastpass extension in opera to sign into vault, it does for about 5 seconds then signs out again.
ReplyDelete