May 4, 2011

LastPass Security Notification

Update 10, May 16th, 3:20pm EST - Final update to this post, we'll make new posts going forward

Actions we've taken:
  • Multiple security experts and firms were brought in to help us, we've engaged one firm to do a further source code based review.
  • We're committed to doing several reviews per year and sharing the results of these reviews.
  • We've had some useful suggestions from the community -- we appreciate your input: https://lastpass.com/support_security.php
  • One example: to reduce the chance of phishing Iastpass.com was registered -- that's a capital i instead of an L. We've also purchased 1astpass.com
  • All non-core services have been completely removed from the LastPass network; LastPass now runs the web application and DNS servers only.
  • Forums, Helpdesk, etc are run offsite on 3rd party servers.
  • We're looking into moving our support tickets off our network too.
  • Amazon was utilized to send out the email notification; we're better able to send large amounts of email quickly in the future, and thank Amazon for working to spin us up quickly.
  • We've commissioned a write only off-site aggregated log server which can only be accessed via the console. This will allow us a guarantee that any logging is intact.

The good:
  • We were prepared to both disable accounts and force people through password changes, which was something we had planned for.
  • The steps we took protected all users, even those who used weak master passwords.
  • Having a live backup system proved invaluable for people who ran into issues, or forgot their new master password after changing it.

We made a number of tactical errors including:
  • Out of the gate, we inconvenienced a large number of people who knew their password were strong and therefore never could have been at any risk.
  • Massively underestimating the amount of media attention we'd receive. This had 2 effects: 1. Greatly increased the number of users attempting to change their passwords -- our plan was for people coming from new computers which is a small percentage of the overall user base per day that we could have handled; 2. Drove a big increase in new users as people interested in LastPass attempted to check us out.
  • We didn't have any previous IP tracking data on previously used computers for people without login tracking. This caused nearly all these people to face password change immediately.
  • We moved too slowly to shut down password changing once the system was under stress.
  • We weren't prepared to send large amounts of email quickly, especially after turning off a server. (Resolved going forward w/ Amazon)
  • Some of our customers were unfamiliar with logging into LastPass in offline mode, panicing a number of them.
  • Blogger (who we use for blog.lastpass.com) had some downtime through the event.

Additional changes coming:
  • Our next release will make it clear how to login offline from the login dialog.
  • We've purchased a large amount of additional server capacity so we can handle extreme load events better in the future.
  • We'll be utilizing the 'from a new location' capability in a few new security features.

Update 9, ~11am 05/09 EST:

Many users are changing their password and then determining they can't remember it, a number have also run into issues with password changes and want to go back, you can now do this yourself without contacting us: https://lastpass.com/revert


Update 8, ~9am 05/07 EST:

We enabled password change to greater percentages overnight and now to all users. Again please note that there is no need to panic, all accounts were put into a locked down mode of only allowing previous login locations or verify via email, until password change.

We're asking any users that have current issues with a password change to use https://lastpass.com/revert to restore you from backups. Many have been people forgetting what password they changed to so make sure you practice that new password a number of times after you change it.

We appreciate your patience, we'll continue to update with any changes.

Update 7, ~6pm 05/06 EST:

Everyone should be able to login (after verifying your email if you are coming from a new IP). We've begun allowing all premium users and a percentage of users to go through password change.

Please note that there is no risk in waiting if you can deal with verifying by email when you use a computer at a new place (IP).

If you experienced an issue with a password change and want to be restored from backups we can do that too and will provide a URL to do it shortly.

Update 6, ~10:30am 05/06 EST:

If you have been experiencing an error contacting the server, please try logging in both via the plugin and the website - you should now gain online access. If you still see an error, please open a support ticket or email support@lastpass.com, if you haven't already done so.

Currently we're not allowing users to change master passwords until our databases are completely caught up and we have resolved outstanding issues. We will update our users via the blog when it is possible to do so.

Thank you for your continued patience.

Update 5, ~1:30am 05/06 EST:

We've added the option for you to say that you know your master password is strong and to avoid password change, we apologize for not having that available when we announced.

We've identified an issue with roughly .5% of users that impacted their master password change, and will be contacting you tomorrow rolling you back to before the change.

Our focus right now is on ensuring we can resolve users with issues, we'll continue to provide updates here.

Update 4, ~10pm EST:

Joe's interview with PCWorld covers more details on what happened, what our thought process has been, and what this means for our users: http://www.pcworld.com/article/227268/exclusive_lastpass_ceo_explains_possible_hack.html.

We continue to work as quickly as possible to address user support.

Update 3, ~4:30pm EST:


Logging in offline should be working everywhere if you have logged in using that client before, if you're having problems with this please attempt to login via the website: https://lastpass.com/?ac=1 that should now take you through an email process to enable your current IP.

If you're having problems getting your data with pocket, make sure you're selecting to login to the local file, not logging in at LastPass.com.

If you changed your password and are now having problems we'll help with that too, please email us if that's the case and include your LastPass email address.

For those who haven't been prompted, and have continued to use LastPass without issue -- we've judged the risk to be low if you're using the same IP -- we're only raising the issue once that changes.

Finally if you have issues with password changes please email us at support@lastpass.com, we can revert you, or we can pull data from backups, but please try LastPass Icon -> Clear local cache first.

Update 2, 2:15pm EST:

Record traffic, plus a rush of people to make password changes is more than we can currently handle.

We're switching tactics -- if you've made the password change already we'll handle you normally.
If you haven't the vast majority of you will be logged in using 'offline' mode so you can still use LastPass like normal and get back to your day, only syncing of new password should suffer (and you'll see the bar).

As load lowers we'll increase the percentage of people being sent through email validation / password changing.

For people experience problems please email us at support@lastpass.com -- we have seen a few reports of bogus data post change, we think this is due to you downloading a stale copy and if you go to LastPass Icon -> Clear Local Cache and try again it should work.

You can access your data via LastPass in offline mode or by downloading LastPass Pocket : https://lastpass.com/misc_download.php (choose your OS).

---

We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.

We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.

If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.

To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.

We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later.

We're also taking this as an opportunity to roll out something we've been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We'll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we'll continue to find ways to reduce how large a target we are.

For those of you who are curious: we don't have very much data indicating what potentially happened and what attack vector could have been used and are continuing to investigate it. We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on.

We don't have a lot that indicates an issue occurred but it's prudent to assume where there's smoke there could be fire. We're rebuilding the boxes in question and have shut down and moved services from them in the meantime. The source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself.

Again, we apologize for the inconvenience caused and will continue to take every precaution in protecting user data.

The LastPass Team.


Update 1:

We're overloaded handling support and the sheer load of password changes is slowing us down. We've implemented a way for you to verify your email and then not be immediately forced to change your password for that IP, access from any other IP would bring you back to email verification. You can now wait a few days if you know you'll be on the same IP without loss of security, and due to this overloading we think that's prudent to wait.

We're asking if you're not being asked to change your password then hold off -- we're protecting everyone.

1,487 comments:

  1. Quick question; lastpass seems to be unusable until I change my master password, but I can't login to gmail without lastpass giving me my gmail password. So how do I reset my lastpass master password if I can't login to my email?

    ReplyDelete
  2. @Yansky Sorry about that -- you have a few choices:

    1) Login in 'offline mode' then reconnect your cable/wireless connection and go to gmail... This is the preferred method.
    2) Download Pocket, and have it find your local offline copy from the drop down of files and login there.

    We realize that's a big inconvenience we're planning on updating the extensions to avoid this logout tomorrow morning.

    ReplyDelete
  3. This is very disturbing. Whilst it may well be overkill and paranoia, the fact that attempts and anomalies are being logged doesn't make one confident in storing their data with LP :(

    LP have continually dismissed independent auditing. I ask now...isn't it time you gave in and let a 3rd party audit you so you can find these things such as "server open to UDP more than it needed to be"??

    ReplyDelete
  4. The LAST password you ever had to remember huh? Nice... now I have to train all my family members to learn yet another password *cry*
    Not your fault, but not very convenient!

    ReplyDelete
  5. If one is using 2 factor auth, will that change anything? In other words, does 2 factor auth (grid method) provide an additional meaningful level of protection from something like this?

    ReplyDelete
  6. @Anonymous This isn't personally identifiable data being logged it's critical to detection of issues, and in most cases more basic like traffic to and from each machine.

    That said a 3rd party audit is certainly prudent and something we'll commit to, we've worked with a few good firms in the past but would recommendations if there are good firms for this kind of application.

    ReplyDelete
  7. @Omar Shahine - Yubikey would protect you quite well, but with Grid we have the coordinates and it's possible that the grid coordinates could have been accessed -- we just don't know so if you regenerated/reprinted your grid coordinates that would be better.

    ReplyDelete
  8. When I try to reset my master password it says that my account settings restrict login from my mobile device. I'm using my PC and I still get this message, what's going on?

    ReplyDelete
  9. Thank you for your post. While I've been using a pass phrase and I have a yubikey, I am extremely grateful that you are paying attention.

    ReplyDelete
  10. Seriously dude, this is bad stuff. I'm locked out of ALL my different accounts, and it isn't accepting my lastpass master passphrase. I guess I learned my lesson here. There is no way in hell that I'm storing my important logins/passwords in the cloud again.

    ReplyDelete
  11. @Anonymous "locked out" -- We can revert your password change if you did one, email support@lastpass.com with your account email - a surprising number of people immediately forget their new password, we're working on this. If you haven't changed your password yet see my first comment on this thread.

    ReplyDelete
  12. Ok Joe I will do that. I just found your account recovery page here: http://helpdesk.lastpass.com/account-recovery/

    If anyone else needs it.

    ReplyDelete
  13. I'm confused. When you be forcing us to change the password? I just re-logged in (after I saw this post), and wasn't prompted for anything.

    Using LP extension on Chrome 11.0.696.60.

    ReplyDelete
  14. I am also getting the "account settings restrict login from this mobile device" error. Very frustrating...

    ReplyDelete
  15. @SEV We're only forcing the issue right now you when we see you come from an IP you haven't used in the past few weeks (if you disable logging logins this might mean immediately).

    ReplyDelete
  16. @Anonymous "restricted this mobile device" -- we're on it please give us some time and I'll post back here.

    ReplyDelete
  17. Is there any solution to the "restrict login from this mobile device" error?

    ReplyDelete
  18. I for one am glad y,all are on top of things round there. thanks

    ReplyDelete
  19. Yes, I am "locked out." Not because I forgot my own password. Not because I compromised my password. But because I am forced to change my password yet I cannot do so because the Lastpass Password change system detects my browser as a mobile device and hence will not let me change my password. Was this mandatory panic thoroughly thought about before being initiated? A lot of us are paying customers too. It will take a lot for Lastpass to restore trust in the system, because I am out as soon as this fiasco is over.

    ReplyDelete
  20. Keep up the good work and don't mind our "carping"

    A complaining Geek is a Happy Geek.

    ReplyDelete
  21. I thought the whole point of LastPass was that even if hackers were able to obtain bits of information regarding your account, none of it would be even legible. The passwords are encrypted, the information is encrypted, and LastPass even boasts that they don't keep our password stored on their server in any identifiable way. So why force a mandatory change of password when the system itself should protect us against attack?

    ReplyDelete
  22. Thanks for this update. Your security measures sound robust.

    Those of you trying to punish LastPass for communicating with its members may want to rethink that strategy for getting what you want from companies...

    ReplyDelete
  23. In the future, it would be nice if you found a new method for keeping our security safe. My email password was a randomly generated password by lastpass, so I had a hard time getting my lastpass account back. I will keep my passwords backed up now, you guys might want to recommend that people do this... or make a utility that does it for us.

    Thanks,

    Alex

    ReplyDelete
  24. A lot of us are effectively shut out from our own information for the time being. It's not mere inconvenience if there is urgent matter at hand for a customer.

    ReplyDelete
  25. ok, so I sent the email verification and it asked me to then reset my master password. when i try to i just get a popup saying invalid command! also when i try to simply logon to my account i just get bounced back to the logon page without any error or warning. have you guys taken the service down or something? this doesn't look good!!

    ReplyDelete
  26. @Anonymous "Locked Out" -- I'm really sorry -- we really want everyone to know that you __ALWAYS__ have access to your data if you can get logged in offline, or use Pocket against your offline copy that you download every time you login.

    That said I think I've resolved the issue if you'd like to try again to make the change.

    What we've done here is all about trust. Seeing something like this is easy to ignore and pretend it's just a fluke and move on with your life. Most companies wouldn't notice at all...

    We thought as much as we could about this given the time constraints of wanting to report it and do as much as we could to protect users as possible. We definitely fell toward the paranoid / protect users side.

    ReplyDelete
  27. I got an error about not being able to log in on devices that don't support grid auth when attempting to change my master password. This happened repeatedly on two different computers (both Linux), when I tried an XP one it worked fine.

    ReplyDelete
  28. All I get is "unknown error" when trying to reset my password... this is not cool

    ReplyDelete
  29. Bastards! How the hell can I login to my email without the "one password"? The disconnect the internet hack doesn't work on any of my extensions and pocket won't let me login because of an IP change. In case you haven't figured out, some of us have dynamic IPs that change every now and then.

    ReplyDelete
  30. I have a gmail account with the password stored on LP. LP is telling me I need to access my email in order to gain access to LP, but I can't read my email without LP!!! I read above some advice to login in offline mode. How do I do that? Please help, I'm completely locked out at this point and very unhappy with LP!!

    ReplyDelete
  31. I after changing my password I keep getting "Unknown Message!" Really? Come on LP.

    ReplyDelete
  32. Still getting the mobile device error.

    ReplyDelete
  33. After doing the password reset, this is what I see... I can't access anything, and nothing is working... there goes lastpass credibility...

    www.timeused.com/lastpass.png

    ReplyDelete
  34. I can't login and change my password once I've verified my email, all I get is 'unknown message' as an error.

    ReplyDelete
  35. @smug anon 12:19AM, how's that high horse and strawman working out for you?

    ReplyDelete
  36. I'm also still getting the "Your account settings have restricted you from logging in from this mobile device." error when trying to change my password from my PC browser. I've submitted a support ticket via my (premium) account address: lastpass *at* ryan-goldstein.com

    ReplyDelete
  37. I'm getting "Unknown message!" error while trying to change my password. I'm guessing this has something to do with the password reminder. This is really unacceptable guys! Maybe I should just go back to keepass. It is not as convenient but at least I have no one but myself to blame if something like this happens.

    ReplyDelete
  38. To the people having problems with logging in, are you trying to login through the website, or through a browser addon?

    I had problems with the website, it wouldn't accept my master passphrase at all, even though I know it was right. However, I can login to lastpass through the firefox extension and access my database.

    ReplyDelete
  39. What is fixed?

    Your account settings have restricted you from logging in from this mobile device from IE and Mozilla.

    ReplyDelete
  40. you need to fix this unknown error problem asap

    ReplyDelete
  41. @Anonymous "I thought the whole point of LastPass was that even if hackers were able to obtain bits of information regarding your account, none of it would be even legible"

    I'll try and explain this to the best of my knowledge (hopefully this is accurate).

    Also this post goes into some detail of how passwords are stored securely

    http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html

    The issue at hand here is that *if* the database of salted password hashes were stolen, along with the server salt, one could simply keep trying an infinite number of password combinations for a given email address. Once the attempt was successful, then they could log into Lastpass using your username and password. Recall that they got your password by guessing till it worked. This is known as a "brute force attack". This is why Laspass is detecting an unkown IP accessing your account and requiring you to change your password.

    So the best thing you can do is change your password, that way if they guessed it, then they cannot gain access to your account.

    However, if the salted passwords, + salt + encrypted data were stolen, one would simply have an offline copy of the data then that would be far worse as said person has the ability to attack the database offline and if they decrypt the data then they have all your data. I pray that this did not happen.

    ReplyDelete
  42. Help, I'm getting an "Unknown message" when I actually reset my password on your site. Tried two different new passwords, same message. What can I do about this?

    ReplyDelete
  43. I am still locked out of all my machines (2 Windows, 1 MacOS) because of the "account settings restrict login from my mobile device" NONE OF THESE ARE MOBILE DEVICES. When will this bug be fixed?!?

    ReplyDelete
  44. Got rid of "mobile device" and now get "Unknown message!"

    If you're going to f*ck with people's passwords, *test it first*.

    ReplyDelete
  45. I'm in Renable Account Hell. It tells me it's sending to my secondary email, but I receive nothing. I managed to use the recovery OTP to get in, but it then puts me back to the login page before I can change my password. I've emailed support and opened a ticket, but with the stuff going on, when will I be able to get my account re-enabled? It's not like I'm a security professional that needs their password or anything..

    ReplyDelete
  46. FIREFOX works. When I use Chrome browser I get the "Unknown message" error.

    ReplyDelete
  47. Oh, I found the export utility, very easy to use, and if there are any more security issues, I can always refer the spreadsheet!

    I'm going to recommend using the utility to everyone reading this blog: use it.

    Thanks again,

    Alex

    ReplyDelete
  48. Where is the utility?

    ReplyDelete
  49. Mozilla working

    ReplyDelete
  50. Did you guys test this before rolling it out? I got the email and now I am getting the "mobile device" error. An eye opener.

    ReplyDelete
  51. Ok so I got pwned by this message: "Your account settings have restricted you from logging in from this mobile device." and had to delete and recreate my account. Here is how I did it.

    - Download Lastpass pocket -> https://lastpass.com/pocket.exe
    - Run pocket.exe and login using your existing username and password.
    - Export your stuff to a csv file
    - Delete your lastpass account -> http://helpdesk.lastpass.com/account-recovery/ (4th option)
    - Recreate the lastpass account by signing in at lastpass.com
    - Using your lastpass browser extension -> Tools -> Import from -> Other -> Select "CSV" from drop down
    -> Copy and paste the contents of the lastpass export csv file into the window and import everything.
    -> Done. Pain in the ass.

    ReplyDelete
  52. Okay, so on my home machine, whose ip I've been using for the 48 hours I've been a lastpass user, I went to preferences and changed my master password.

    It logged me out, but now when I log in it says:

    An error has been encountered while loading your sites. Please relogin.

    So huh!?

    Please advise.

    Also, I am still confused why this is a blog post and not an email.

    ReplyDelete
  53. Oh, also, that is using lastpass with firefox on windows 7

    ReplyDelete
  54. You guys didn't think this issue important enough to send out an email? Seriously?

    ReplyDelete
  55. @jerry 1.25+MM users would take too long to email unfortunately. Please email support@lastpass.com and include your LastPass email address.

    ReplyDelete
  56. Everyone seems to be getting very angry with you guys, but I want to say: Excellent response. Thank you for doing the right thing. Our passwords are not minor things, and with the way you have handled the last two lastpass issues I think you are more than fit for the job of providing this service securely. Sony should take some notes. Keep up the great work guys, and thanks again for being so professional.

    ReplyDelete
  57. Excellent response? Not really. If LastPass really had 1.25++ MM users who were affected by this, then this is not a company you want to trust with your passwords. Besides, "taking too long to email" is a pathetic excuse - it would take as long as sending the above blog post to allusers@lastpass.com

    ReplyDelete
  58. Hey dudes thanks letting us know, would that affect the premium users you said?

    ReplyDelete
  59. "You guys didn't think this issue important enough to send out an email? Seriously?"

    I think forcing people to change their passwords the next time they log in is on par with an e-mail. For some, they'll probably find out faster than checking their e-mail.

    ReplyDelete
  60. I tried posting this a few mins ago -

    Your initial blog post suggests that very little data was lost -
    "We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs."

    Was enough lost to compromise everyone? if it was not enough for a an encrypted blob, you are talking less that 10kb ? Please clarify

    ReplyDelete
  61. Thanks for the prompt response guys!

    ReplyDelete
  62. Seriously- spending $10k on an professional auditors opinion will be the best money you've ever spent. Just benchmark all of your crap and apply the standard utils- ossec, log monitoring, web application firewall, etc.- why in the hell would your asterisk server have any visibility to your db??!!

    ReplyDelete
  63. Do I need to change the passwords that in my vault?

    ReplyDelete
  64. Ouch! Not good!
    Please don't take this as a sales pitch, but I'm a sales engineer for Riverbed Technology and we have a product called Cascade Shark that does packet recording and analysis. This device would have allowed you to go back in time to when the traffic anomaly happened, find and replay the session that generated this spike and then view exactly what was transferred on the wire.
    It could have prevented you from going into paranoid mode if you could verify that no user data was transferred.

    ReplyDelete
  65. Thanks to Owais above. It worked for me by exporting from firefox, but I just imported a csv file to keepass instead, as lastpass would not work at all, and I'm not sticking around to bang my head on the wall when it doesn't appear to accept my passwords at all. Thanks for the help.

    ReplyDelete
  66. What's the status on the "mobile device" bug?

    ReplyDelete
  67. "We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses"

    So email addresses were potentially compromised.

    "We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs."

    Not many, but some.

    So it is then entirely possible, that the attacker have some user's encrypted data blobs.
    Furthermore If those users have a brute-forcable master password, it is therefore possible that they have access to some of the few encrypted data blobs that were potentially downloaded. This means the attacker WOULD have access to the email account of this user. Thus your statement that "they wouldn't have access to your email account" seems incorrect and email verification would not help these users.

    ReplyDelete
  68. That's twice now, there is no way I'm trusting my passwords to LP anymore. Bye guys.

    ReplyDelete
  69. The only really scary thing here is that your Asterisk server is in the same network as the database you store all our passwords on.

    That's a gigantic security failure.

    ReplyDelete
  70. "We're only forcing the issue right now you when we see you come from an IP you haven't used in the past few weeks (if you disable logging logins this might mean immediately)."

    I haven't been asked to change my master password yet. If I manually change it now will I be asked to change it again later?

    ReplyDelete
  71. better to be safe than sorry.

    thank you.

    ReplyDelete
  72. "What's the status on the "mobile device" bug?" I posted about it earlier and it's all fixed for me now

    ReplyDelete
  73. I received my notification..entered my email..now Im locked out of my account
    How do we change passwords if we are locked out of our accounts?

    glad to see your on top of it..but Im not sure this was handled to well.

    ReplyDelete
  74. With all due respect, you could simply allow people to keep their access to LastPass service while they await the confirmation email until it delivers.

    there's no hassle why would you want to cut of the air supply to LP just because it made a cough.

    to stop the attacker simply update your service to detect any method of trying to get "login data" from your database. to simply lockout the IP and notify you..

    ReplyDelete
  75. @Dinoraptor101 "there's no hassle why would you want to cut of the air supply to LP just because it made a cough."

    AFAICT nobody's air supply is being cut off. 2 Methods for accessing your passwords in offline mode have been posted.

    ReplyDelete
  76. So, I'm just curious, if you haven't identified any specific vulnerability, what would prevent the "attacker" (if any) to just get a new batch of the data with all the updated passwords changes users are doing.

    Sounds to me that if you haven't "fixed" anything yet, then the "attacker" can still do the same "thing", so a password change wouldn't do any good?

    ReplyDelete
  77. So many of us appreciate your diligence; don't get discouraged by criticism. I got the reset message, followed the instructions and had no problem. I happened to be on the road so I got caught in the reenable routine.

    You did the right thing. I thought some of these cases through a long time ago. My email password is not stored in LP. I have a Yubi key. Since the Yubi key means no access except from a trusted machine even with my master password (unless you can get to my email to disable the Yubi key), and I don't let anyone who can get to my LP get to my email, I think I've closed a potential vulnerability. Get a Yubi key and sleep better.

    ReplyDelete
  78. LP, just wanted to say that I really appreciate what you are doing.

    I understand it was really tempting to just ignore this issue and to not respond to it as you did.

    Keep up the good work!

    ReplyDelete
  79. - What prevents the potential attackers from simply repeating their attack since no specific vulnerability has been identified or fixed?

    - When will the forced password change affect users who's IP address hasn't changed, and will they be forced to change the password at that time even if they manually change it now?

    - Why is it possible that your Asterisk phone server can be used as an attack vector?

    - You seem to make the assumption that email accounts can be used to verify account ownership despite the possibility that these email accounts may have been compromised as a result of this issue.

    - Why do you allow the creation of a master password that can be brute forced?

    - What caused the "mobile device" and now get "unknown message" errors and when will this be fixed?

    ReplyDelete
  80. This is complete BS. There is a mis-spelling on the Re-enable page which makes me very suspiscious. There is nothing in the news section on the Lastpass home page that even mentions this issue. How do I know that Lastpass has not been hacked? I don't, and so I'm not changing anything. I'm a paying customer and I should've known Lastpass was just too good to be true. I'm out of here. Sorry guys, but when it comes to trusting someone with security one hiccup like this is a deal breaker.

    ReplyDelete
  81. I'm glad that under "external stress" the last pass system is a fails to "off" rather then to "on". With PSN and RSA having there user data sucked out like a plate of spaghetti your actions are on the money. inconvenient Oh you bet, but it's better then doing nothing.

    And really people, DON'T catch 22 yourselves with saving your master e-mail password in lastpass! It's not the fault of lastpass, but your fault for doing that.

    ReplyDelete
  82. I thought only blobs were transferred to Lastpass? If that's true, what's the fuss? Here's what Lastpass says about security:

    "LastPass uses SSL exclusively for data transfer even though the vast majority of data you're sending is already encrypted with 256-bit AES and unusable to both LastPass and any party listening in to the network traffic -- the amount of data is trivial so the extra encryption doesn't hurt. Our policy of never receiving private data that you haven't already locked down with your LastPass master password (which we never receive and will never ask for) radically reduces attack vectors. We use firewalls and best practices to protect the servers and service, but our best line of defense is simply not having access to data even if someone got in. If LastPass can't access it, hackers can't either."

    According to the above we should have nothing to worry about because even if someone was listening to the network everything is encrypted right? What's going on???

    ReplyDelete
  83. @Anonymous (why don't you post your name?): Stop spamming the blog. If you are unhappy, cancel your account and get on with your life.

    I think LP reacted perfectly. The spelling error is not great as it raises doubt. But honestly I don't case as I can see in the browser address that the site is https with a LP certificate.

    The new password setting worked fine, actually this should be an option which users should be able to set (Ask me to reset the password every x months). Many apps have this.

    So, stop bitching and give LP kudos how they protect their databases. Sony can learn a lot from LP ;).

    ReplyDelete
  84. @Dicks I just entered my email address into Lastpass's form. They sent me an email, and want me to click a link in the email to get to the page to change my master password. Um...this is malware 101. Never click links in emails. Anyway...I'm not spamming the blog. I'm a paying customer and I will speak my mind as much as needed.

    ReplyDelete
  85. For all of you who are affected by the "Your account settings have restricted you from logging in from this mobile device." problem:
    I was able to login with one of my One-Time-Passwords I had generated when I set up the account. I was then asked again to change my master password, but this time I was asked for grid authentication, and after passing this the change succeeded.
    Now I can log in again using my new masster password.
    Yours Sincerely

    ReplyDelete
  86. @Dicks, you realize there are multiple people posting as "Anonymous", right?
    Also, at least one respected Infosec professional would bet that lastpass is "totally owned", were he a betting man: https://twitter.com/#!/jonoberheide/status/65999907571503104

    ReplyDelete
  87. COuld you like to this notice from the page that forces people to change their passwords please. I was majorly confused this morning when I was asked to change my password. It reeks of phishing too.

    ReplyDelete
  88. Are people actually this stupid to put their primary email account under a random generated password??

    ReplyDelete
  89. Very happy about your response to the issue, LP guys. This kind of thing will happen at some point to any company that deals with encrypted data because it's interesting to criminals, so that's not the problem at all (note to users freaking out that someone would try to fish for some data). It's the response of the company that matters. This was quick and hopefully comprehensive.

    Clearly there are some points LP should improve on to make sure whatever was done by these intruders is not repeated by the next ones.

    ReplyDelete
  90. I am unable to login at all - An error has been encountered while loading your sites. Please relogin."

    What now?

    ReplyDelete
  91. I'm an unable to login after chaning the master password:

    An error occurred while retrieving your accounts. The most likely error is that you have cookies disabled. Please check your settings and reload the page DEBUG: https://lastpass.com/getaccts.php returned not logged in, you can try going there directly.

    What should I do to get access to my passwords?

    ReplyDelete
  92. I'm still getting the error message every time I start my browser, even after changing my master password. It is letting me log in, but having to do so every single time will quickly become a nuisance! I do hope this gets fixed soon.

    ReplyDelete
  93. So why did you guys not force people to use master passwords that were not brute-forceable? That seems like an easy thing to do. And it would prevent this attack vector altogether.

    Now, I did use a master password that can't be brute-forced. So why am I forced to change my password. Why not give me an option to acknowledge this possible leak and not change my master password? If you want to confirm via email, that's fine with me.

    ReplyDelete
  94. Unable to login. Cannot access account even with passphrase.

    ReplyDelete
  95. Trying to change my MasterPassword on my PC:

    I get this:
    "Your account settings have been restricted you from logging in from mobile devices that do not support YubiKey authentication"

    What to do next ??

    ReplyDelete
  96. In my opinion, LastPass handled this incident well. It is important to communicate openly with your customers - would you rather like it the way Sony handled their incident? I realize that this has been (and still may be) an inconvenience to a lot of customers, but I'd rather be "locked out" for a couple of hours than have my every password available to some malicious third party.
    Still, I agree that you might want to rethink your network structure and open yourself to external auditing. But it seems like you've realized this as well, as I would expect of a clever company. Thanks for your great service and your paranoia - you can never be too careful with sensitive data, especially when its sensitivity is your business ;-)
    Your paying customer, Chris

    P.S.: To all those flaming and moaning about your loss of trust in LP: Consider yourself lucky that LP communicates this well with their customers. In a way, they give you an out - "Hey guys, look, we're sorry but there has been a minor abnormality, it's probably nothing, but still we realize that the safety of your passwords is incredible important to you. So here we are - we're going to tell you everything that is going on, so you may stop using our service as soon as you want if you feel concerned for the safety of your data." Consider that. I'm sure LP will be sad to see you go, but it is up to you.

    ReplyDelete
  97. Couldn't you have done the "You have 3 days to change your password" approach instead of this ridiculous knee jerk response?

    We understand our passwords are important. That's why we're using lastpass instead of one password for all our accounts. So you don't have to slap us across the face to make sure we're aware.

    You were so concerned about the security that you forgot about the concerns of the people using this system.

    ReplyDelete
  98. If you get this message: An error occurred while retrieving your accounts.

    Close all of your browsers, clear cookies and log in again. It worked for me.

    ReplyDelete
  99. HI guys. Cannot login at all. Same message that i read on this page : "An error occurred while loading your sites. Please relogin."

    Don't know what to do..

    ReplyDelete
  100. Ho Hum - the necessary evils of internet security - thanks for the heads up and hopefully you have headed off having a 'Sony moment' ;)

    ReplyDelete
  101. I think i'll go back to remembering my passwords myself. This stank of a phishing attack on 1st look.

    ReplyDelete
  102. I notice that some people have a problem in that they couldn't reset their lastpass password because their email password was itself stored with lastpass.

    Storing the password for the email account that you use to access lastpass seemed to me from the very beginning to be a stupid idea, for this sort of reason. For much longer than lastpass has existed, an email account has been a sort of key to all other accounts, because it is the normal way to reset passwords. So the people that did this deserved to get shafted through their own idiocy. They cannot complain about lastpass.

    Personally I find it annoying that lastpass does not have the feature to not store a specific password for a specific username/site (it is able to not store a site, but note a specific user/site combination.) For this reason, lastpass continuously nags me in offering to store my email password, which I don't want it to do. (I am able to remember a couple of passwords after all!)

    The problem that lastpass solves for me is all the other countless accounts for which I would otherwise use the same password for, not my email account which I use every day. In my opinion lastpass should refuse to store the password for the email that the lastpass account was set up with.

    Changing my password is not really a big deal for me, and I admire your integrity

    ReplyDelete
  103. Lots of drama going on. I was unable to login. I was not taken to any password reset page or anything, just an error message. So I reset my password. Now read this very carefully, After changing my password, I am now able to login with my OLD password.
    So tell me, will you compensate me if my credit card and bank password gets stolen and I lose money? Guess I should have never trusted a 3rd party with my secrets. Better to store passwords locally using keypass portable and carry it on pen drive.

    ReplyDelete
  104. I'm trying to re-enable my account. I insert my email address in the form and, after I receive the email, I click the link in it.
    The problem is, when I click the link, the server responds my link is no more valid. It's the link you sent me 10 sec before, why it isn't valid? What I do now?

    By the way, I used both chrome and firefox and I cleaned cache and cookies. I even tried to type the link in the browser bar.

    ReplyDelete
  105. @Gourav

    Enjoy your hell of a time trying to regain access to everything when you lose the pen drive or it finally dies. Flash memory doesn't last forever.

    ReplyDelete
  106. Thank you for taking our security seriously LastPass Team. God knows Sony didn't/doesn't.

    Stumbled my way here from Howtogeek's Twitter feed. I never received an email or a prompt to change my password but I'll probably do it anyway just for the sake of keeping it fresh since I haven't done it in so long.

    Never hurts to keep your password fresh and strong to keep up with the times.

    ReplyDelete
  107. Hi I've been a big fan and have become reliant on lp since thoroughly reading the website and the tech in use, but I'd be more likely to have my fears allayed if the previously posted comment from someone was answered by Siegrist 'I thought the whole point of LastPass was that even if hackers were able to obtain bits of information regarding your account, none of it would be even legible. The passwords are encrypted, the information is encrypted, and LastPass even boasts that they don't keep our password stored on their server in any identifiable way. So why force a mandatory change of password when the system itself should protect us against attack?' Is it not possible to convey how it works without being a mathematician or computer scientist? Has the marketing been a little economical with the truth?

    ReplyDelete
  108. I think the take home message for a lot of folks here is that there are in fact two passwords that a person should always remember: master password and email.

    Make both strong passes, but remember both, as you never know when you may hit a wall with whatever cloud service/program you use to manage your accounts.

    ReplyDelete
  109. Hi folks

    Could it be yust a false pretenses to get all the passwords. I trusted Lastpass that they store only my encrypted data, but they have the chance to store my pwd on every login (when the would put a logger into the plugin or the can change the code of the onlineplatform so that the key could be stored there or they could store our key when we change our pwd (and now everybody has to do this). I'm concerning about my data. I think it is time that anybody (3rd) reviews the code of the lastpassengine. I'm now starting to pull out worthy pwds(palpay, bank, creditcard,...) out of lastpass and will store it anywhere else. But on the otherhand it is very fine when LP inform the people when they think that there could be a danger, and force it to do something angainst this danger. But in this case i am in a conflict whom i should trust ma bad feelings or LP

    best regards

    ReplyDelete
  110. When I try to change my lastpass master password I just get a "Sorry a problem occured" Please try again.

    What's the issue with that?

    ReplyDelete
  111. arrrgghhh....

    Ok maybe something happend - Action now - That great !!

    But it would be NICE to get a Status reponse on the current issue "Failure to change the MasterPassword"

    Going home now - thinking of other ways to secure my passwords - pen and paper maybe.

    ReplyDelete
  112. Autofill is currently not working (after changing the master password), anyone else experiencing this?

    ReplyDelete
  113. You guys are completely nuts. You are cutting me off ALL of my passwords. Including my email. What the heck were you thinking? Who the heck gives you the right to do this.

    ReplyDelete
  114. my mail address contains a + symbol, but it's ignored by the input field in the password change form. so i can't change my password! please help

    ReplyDelete
  115. Can someone from lastpass reply, please? I need to access my data and nobody reply to support email nor comment here.

    ReplyDelete
  116. problem, i cannot login to my email, i know not the password, this is in my lastpass account.

    and now ?

    ReplyDelete
  117. How come I never received a notification regarding this? From what I read, the notification was received in your browser when you want to log into LP.. I didn't get any of this at all. Should I be concerned?

    ReplyDelete
  118. Funny thing is, I was expecting something like this to happen and changed it regardless to a higher character password!

    ReplyDelete
  119. Most people here seem to be either glad or very annoyed by what's happened. There are some things that annoy me and some that I'm glad of.

    Things that I'm glad of:

    - Lastpass take note and account for what is happening on their network
    - Lastpass seem to have the right idea on the convenience vs. security trade-off.
    - Changing my master password was easy and worked first time.
    - That lastpass will submit to a 3rd party audit.

    Things that I'm annoyed about:

    - The first I heard was when I tried to log in and had to spend work-time sorting it out, not by email.
    - I had no real way of knowing whether lastpass was asking me to reset my password or someone who'd hacked their webserver.
    - That user data isn't kept away from other servers that could be insecure meaning that lastpass can't confidently rule out user data having been accessed.
    - That lastpass hadn't previously submitted to a 3rd party audit that may have flagged up these issues.

    ReplyDelete
  120. Thanks LastPass. Your swift action makes me even more sure that you're good to trust with my password details.

    I think this was appropriate action, and I easily changed my password without any issues.

    To the complainers, if you had a good password, you don't have anything to worry about. As to not being able to access your email:
    1 - ensure you have LastPass data backed up. I back up mine, encrypt it and then stick it on Dropbox.
    2 - shouldn't you know the password of your email as a fail safe? I'm not suggesting using a poor password, but instead of remembering one solid password, just remember 2/3. If you have your email, you can reset the rest of the accounts.

    ReplyDelete
  121. If you disconnect the computer from the network, you can login to the local copy of LastPass. You then copy the email password in the clipboard and go back online to access it once LastPass asks you to reset the master password.

    ReplyDelete
  122. What's going on? I'm trying to login through the web interface but getting nothing. The page just reloads with login form empty. If I enter wrong password I get "Invalid password!" so password is not the problem. What do I do?

    ReplyDelete
  123. Good security, nice service, thank you

    ReplyDelete
  124. >he uses dropbox
    >laughinggirls.png
    >implying dropbox doesn't have security issues
    >implying you just didn't go full retard

    ReplyDelete
  125. @Lastpass: please tell us why the decryption/re-encryption of our passwords is done through your website - If I were a dedicated attacker, I'd do exactly what you're doing right now: have the customers deliver their old passwords on a silver plate, then grab the stored passwords while they are unencrypted.

    How ist THAT good security?

    ReplyDelete
  126. I've re-logged in several times now, and I have still not been asked to change my master password. I know I can change it myself, but this is obviously a sign that not everyone will be aware of this. If I hadn't seen a link to this blog post(!) on reddit, I would have NO IDEA at all.

    I also don't understand why you didn't email about this. Surely you could send the emails in less than a few days or so...?

    ReplyDelete
  127. Yes this is inconvenient, but I congratulate LastPass on being open and honest enough to deal with the problem in a potentially paranoid fashion rather than furtively work behind the scenes and doom themselves to failure. If anything, this makes me trust LastPass with my data more than before.

    Keep up the good work, guys.

    ReplyDelete
  128. I have requested via email the ability to reset my password, but I dont get an email. I am locked out of all my accounts. LastPass is a JOKE!

    ReplyDelete
  129. I logged out in the hopes I would be able to log in again and get a new password prompt. Instead I'm just locked out. Gives me an error and redirects me back to a blank login screen. This is poor.

    ReplyDelete
  130. Perhaps now Joe will take my many requests over the last two years, as well as those from other users, to make a way for lastpass to operate completely offline without need for storing data anywhere in the cloud.

    The constant replies of "it is not conducive to our business model" are getting tiresome. This is why I refuse to use lastpass. Until I can decide when/if I want to store my data on your servers, lastpass will not be installed or recommended by me to anyone.

    ReplyDelete
  131. So you're rolling out PBKDF2-SHA256 with 100.000 iterations. Great.

    You however did not mention how the data/passphrases which may have been leaked were currently hashed. Could you elaborate on that?

    ReplyDelete
  132. What is the solution for the "An error has been encountered while loading your sites" ?

    Can someone publish this information ???

    ReplyDelete
  133. This is why I signed up with Lastpass. NOTHING is completely secury, but unlike a certain huge corporation (*ahem*Sony*ahem) Lastpass notified the users immediately, locked the accounts, and took measures to be sure everyone's data was safe. Way to go and this only makes me trust my data with Lastpass even more!

    ReplyDelete
  134. thank you very much for the information, i'd rather have several infos each month like this than having all my passwords stolen.

    i think it's great of you to constantly monitor the activities.

    ReplyDelete
  135. @Anonymous 2 up, Do you really consider this a notification? Even I have an account and I have received no email about this...Like others, I stumbled across it through a link on a completely unrelated site....Yes, great notification.

    ReplyDelete
  136. I'm a LastPass premium user (several times over, for different people I know), and was considering something like this for my work (small international IT team with an insane/absent password scheme).

    I am extremely disappointed that these systems were even associated. The LastPass production servers should be completely isolated from ANY other system, except via the few custom interfaces you've defined, and those should have an extreme level of auditing, in this regards. There should be no other service running on it, not even development services.

    I hope this shock/scare forces you to look at your internal security, physical security, and similar, a LOT closer. For instance, can a single developer commit changes to the production source? Can a single developer access the live data with much ease?

    Separate everything.

    Additionally, continue investigating this to the best of your ability, and update us as to changes you've made. I've been saying this for a while, but I'd like an RSS feed tied to some sort of change management system, where I can see what changes have been pushed out each day, even if they are absolutely minor. I am interested in seeing what's happening/changing.

    However, having said all of the above. I am happy with how you've handled this. While I'd rather have a few days to change my password, such is life. I just did it before, and had no troubles. I like your open-ness, honesty, and if you had of treated us anything like Sony, I'd have left you in a heart beat.

    You've still got my personal business, but you won't have my works business, until you dramatically increase your own security, and I see significant change in that department.

    Also, the Grid data isn't stored unencrypted... is it?

    I think it's about time I got a YubiKey!

    ReplyDelete
  137. For the third time... can someone give a solution ?????? Nothing works !
    > OTP for recover gives : Sorry, the link you have requested has expired
    > Login gives : An error has been encountered while loading your sites

    What the hell should i do ????

    ReplyDelete
  138. It is indeed a bad news but people should saying bad words to LP team. They were prompt in informing about anomaly and the process to change password was smooth and easy.

    Just look at Sonu play-station network. They were hacked, credit cards details were stolen and they informed after 1 week and still you have no clue what to do.

    So please be patient and support this wonderful product.

    A happy user since beginning.

    ReplyDelete
  139. @Dushy:
    > and the process to change password was smooth and easy.

    Really? Look at all those people who cannot even login, let alone change password.

    ReplyDelete
  140. I agree with the others in appreciating the transparency on this. Rare these days because most companies want to put a spin on attacks. Nice job LP on the communication to customers. Because I use a secure password, I am also not concerned that someone could have accessed data on your server.

    I will also share my experience that something isn't right with how LP deals with Chrome on Mac. When I saw this, I launched Firefox (Mac), went to the web site, and changed my master password. No problems at all...worked fine. Then I opened Chrome and logged into LP, but was told that I need to verify that I have access to my email address to reactivate my account. Strange, but ok, I did it. Then I had to reset my master password...again. I reset it back to my previous one, then reset it again to my new one.

    All is well now.

    ReplyDelete
  141. Hey LP team...This is really troublesome, I regret using this tool. It gives me a headache. Please, HELP me to access my VAULT.

    ReplyDelete
  142. i appreciate your transparency.

    ReplyDelete
  143. Didn't get a notification email. I found it from a tweet from a friend. I had noticed that, for some reason, Lastpass was logging me out of the extension (but it was working some of the time - someone else logged in as me, perhaps?)

    I've now reset to new password, using the OTP feature... and now it won't log in with the new password. Very concerned.

    ReplyDelete
  144. Just like Anonymous at 04:31 AM I get the message "A problem occureed when changing your password. Please try again." every time I try and change the master password.

    I have tried various different master passwords and I have verified that the current master password is correct. But I am still getting the same error message and I cannot change the master password on any of my computers.

    ReplyDelete
  145. I'm also getting the "An error has been encountered while loading your sites" message when I have "Save your password" enabled in IE which normally logs me in automatically when I start the browser. Now, I get the error message, and have to click on the LastPass button and then click Login (with the password already filled in automatically.) So not a show-stopper, just an inconvenience. I expect this is a temporary bug, but will contact support if it persists.

    ReplyDelete
  146. Okay - I was Anonymous from a few moments ago (7:01AM) - after getting locked out, waiting 15 minutes, my new password IS now working - I would guess that the servers are getting quite a work out at the moment.

    So, if after changing passwords nothing happens - don't panic - just wait.

    ReplyDelete
  147. Changed password, then I get invalid password after trying to login again. I know im using the correct password. Its the same as the old one with a little prefix. I guess you should add a note to the blog post as seems many users are having this problem.

    ReplyDelete
  148. Please publish the IP address of the network traffic anomaly. This is important.

    ReplyDelete
  149. Thanks for getting this out to the public - going full disclosure even when you are not 100% sure there was a breach is way better than covering it up. Remembering a new, strong password is a bit annoying, but it's only one and I'll gladly do it for the security aspect. Keep up the good work!

    ReplyDelete
  150. Now lastpass is having security issues?

    I'll be damned if a company I keep anything personal with isn't having some security breach nowadays.. /sigh

    ReplyDelete
  151. Why are people making support requests on a blog post? Go through the proper channels and I'm sure they'll be able to support you so much better.

    ReplyDelete
  152. Why do I read about this on Techmeme, and not via email from you? How do you plan to alert users who don't frequent sites where your f-up is highlighted?

    ReplyDelete
  153. I am assuming that since I use a yubikey, that even if they broke my passphrase, that it wouldn't do them any good?

    ReplyDelete
  154. Thank you for being so upfront about this! I am personally not worried about my passwords.

    However, I didn't get the notification to change my password in Opera when logging in through the extension. I just got immediately logged out again (which is what made me wonder if something was wrong in the first place), and nothing more happened. Only when logging in through Chrome did I finally get the notification.

    ReplyDelete
  155. STOP yelling about them sending emails. First off, if they have over a million users, it would take a long time to send them out without getting spam filtered (and even then, at least some WOULD get spam filtered). Secondly, you're going to see the password change message BEFORE you email (since they logged everyone out), so who cares about an email? You already know.

    Paranoid people holding your encrypted blobs is a good thing. Don't let a few annoying anonymous cowards steer you away from the service.

    ReplyDelete
  156. Still using LS is much better then typing your password on keyboard cuz of keyloggers and they are much popular then hacking password managers like LP... and it's not efficient... hackers would still need to unencrypt all data which is simply impossible with given computer power and time

    ReplyDelete
  157. I am not receiving the security email from LastPass.

    Anyone else having this issue?

    ReplyDelete
  158. Hey guys,

    your honesty and openness is very much appreciated. The way you handle this situation and the way you communicate this to your customers actually ensures my trust in your service - However, something like this should remain an isolated incident and raise your awareness that security measurements need constant auditing and development. Keep up the good work!

    ReplyDelete
  159. i cant login to lastpass at all. how am i supposed to change my master password

    help. quickly

    ReplyDelete
  160. Kudos to LastPass for full disclosure and taking appropriate action on this immediately. Yes, it is somewhat inconvenient, but when you weigh this small inconvenience against the added convenience LastPass gives you in not having to remember hundreds of usernames and passwords, this is a small price to pay. Thank you to all the LastPass folks for a fantastic product!

    ReplyDelete
  161. This is a good way to handle this and gives me confidence in the service. I use a strong password and so the potential security threat is minimised, but for everyone complaining about security issues - companies that store potentially "important" data are *always* going to be a target for hacks.

    What is important is not that hacks happen, but that their success is limited, and the target implements the proper procedures and response to notice, inform, and deal appropriately with the situation.

    Way to go guys.

    ReplyDelete
  162. you can use support@lasspass.com address to report problems. I received response under 10 minutes.

    @Lastpass: Good job! Good luck!

    ReplyDelete
  163. I can't sign in to my vault, to change may password. I get the error...

    "An error has been encountered while loading your sites. Please relogin."

    wtf LastPass? Not a happy bunny. >:(

    ReplyDelete
  164. Thanks for the responsible disclosure on this. However, I found out from a third-party (never got the email). Did you also send the password change request to Yubikey users as well?

    ReplyDelete
  165. This comment has been removed by the author.

    ReplyDelete
  166. While I appreciate the full disclosure, it seems more network traffic analysis and logging is in order.

    My Yubikey requirement has made me feel much better about this and I'd highly recommend one to anyone using LastPass.

    ReplyDelete
  167. Oh man this makes me angry. I read the blog post, confirmed the email, changed my master password... It seemed to let me in the first time after that, but then issued some stupid error about failing to load my sites. Now it just says "invalid password", which is ludicrous. If I can't access my shit I'm going to go nuts.

    ReplyDelete
  168. @Anonymous (Oh man this makes me angry)
    try to recover your password
    https://lastpass.com/support.php?cmd=showfaq&id=375

    ReplyDelete
  169. @Anonymous (I can't sign in to my vault)

    try to login using extension

    ReplyDelete
  170. http://sunbeltblog.blogspot.com/2011/05/use-lastpass-change-your-master.html

    ReplyDelete
  171. The treat may be real but the handling of this process is almost stupid... When I tried to log in the 'forced' process started. I thought my account had been compromised and some attacker was trying to capture my data. No heads up or alerts - not good!!!

    ReplyDelete
  172. There are a lot of people who seem to be disappointed that their information is save.

    ReplyDelete
  173. I changed my password but when I try to login I repeatedly get the error "An error has been encountered while loading your sites. Please login again"

    ReplyDelete
  174. The annoyance is that the password changing doesn't actually work...

    Your settings could not be updated. Please retry later. error

    ReplyDelete
  175. Getting error after reseting password during the re-encryption process. lame

    ReplyDelete
  176. I try to reset my password and I get:

    Sorry!
    A problem occurred when changing your password. Please try again.

    I have tried two different password changes with no success.

    ReplyDelete
  177. Pretty disgusted to find out about this from Twitter. I wasn't required to change my mast password, nor did I receive any communication from LastPass via email, or alert in the toolbar plugin. Changing password is obviously sensible, but rather like closing the gate after the horse has bolted as if the data has been acquired it'll be cracked using old passwords. My exceptionally long LastPass password may have annoyed me, but maybe it saved me too. I've yet to decide whether to continue as a customer. I've decided to continue as before and not store ANY financial passwords in here as your systems clearly aren't secure enough to handle them.

    ReplyDelete
  178. So, no password change prompts for me this morning. However, even if my password hash was accessed, according to http://www.mandylionlabs.com/documents/BFTCalc.xls, my 17+ character complex password would take somewhere in the span of 300 million years to crack it. I do not use dictionary terms, but instead use lower/upper letters, numbers and special characters. It can be a pain to remember, but in times like these, I am glad it is as complex as it is. Also, as a premium user, I took advantage of the Yubikey which has given me even more security. So, if you have done the same, you should not be too worried. If not, consider upping your security posture a little more so things like this do not become as problematic. My two cents at least.

    ReplyDelete
  179. My account also uses a + in the email address which is being filtered by the password reset page, even though it works everywhere else at lastpass.
    So, I cant reset my password and cannot enable the account :(
    I've emailed support but dont know how long this will take to fix

    ReplyDelete
  180. Huge kudos to all you guys at Lastpass for this. It's obviously inconvenient for users, but knowing that you take security seriously, are transparent with users and actually mean what you say is worth a lot.

    Compare and contrast to Dropbox...... I know which company I trust.

    ReplyDelete
  181. I appreciate your effort to inform users about whatever matter you faced with data leakage and took precaution without worrying about market image. :D .. Love to be your user

    ReplyDelete
  182. Why why why did I also find out about this on twitter??? AND everytime I try to change my master password it gets to uploading encrypted data,I get an error,I understand it's a free service,but I do also pay for the mobile service,so a little help and communication would be nice.
    not2fly(at)hotmail(dot)com

    ReplyDelete
  183. Ok I clicked through on the email from ie instead of Firefox portable and it worked.
    Heads up to everyone portable app browsers seem to be a fail when you do the reset.

    ReplyDelete
  184. I'm confused (and a paying subscriber)..

    Firstly I havent had ANY notification of this. OK I'm coming from a known IP Block.. but still I'd like to know!

    Secondly.. Why is my password anywhere near lastpass.com servers.. its supposed to be just stored locally?

    ReplyDelete
  185. The '+' in email problem went away when I tried to log in again, I dont know if this was because I tried again, or because it'd been fixed. At least I can connect now :)

    ReplyDelete
  186. Good Day!

    I get this:

    >>
    Sorry!

    A problem occurred when changing your password. Please try again.
    <<

    We get the same issue. No copyright infringement intended:

    >>
    Anonymous said...
    Just like Anonymous at 04:31 AM I get the message "A problem occureed when changing your password. Please try again." every time I try and change the master password.

    I have tried various different master passwords and I have verified that the current master password is correct. But I am still getting the same error message and I cannot change the master password on any of my computers.
    May 5, 2011 7:02 AM
    <<

    Well, LastPass is nice. They did a good job. But in this human world, everyone gets robbed, fooled, or hacked. :) Even Google or worse Sony wasn't able to be immune (not even highly secured military classified projects). It is just we live in this kind of sorry world. As a suggestion guys, do a backup. I use KeePass synced via Dropbox using the strongest encryption with a neat keyfile. Use 2-way verification in your Google accounts too. But I hope LastPass will eventually be able to resolve these issues. It was a nice extension to lose.

    More Power,
    Maj

    ReplyDelete
  187. While this is low enough on the list so I don't think anyone will read this far down. Anyway, My concern is not just confidently but integrity. Will LastPass be making a statement that they feel that they have control over their code? Do we know if the local plugins have been compromised?

    ReplyDelete
  188. good thing that I found a link to this blog post on a security forum, otherwise I wouldn't be aware of anything at all...

    ReplyDelete
  189. I had errors changing password through Chrome, it would error after encrypting it. I tried with Internet Explorer and this worked fine.
    Thanks for your honesty LP. Better safe than sorry.
    BTW I am sure I paid for premium service via credit card. Are those details compromised also?

    ReplyDelete
  190. This is concerning: I wasn't forced to change my master password when I logged into my vault on the lastpass.com website. When I went to settings, it looked like I could then change my master password WITHOUT the extra authentication mentioned above (IP address or email address). Does this mean the forced password change and accompanying extra precautions only apply when using the LastPass plugin? If so, that is a serious oversight.

    ReplyDelete
  191. Dave M: check your spam filters for the re-enable email. That's where mine ended up.

    ReplyDelete
  192. I logged in this morning, but didn't see any indication that I would be FORCED to change my PW. I wasn't prompted at all. ????

    ReplyDelete
  193. The biggest WTF of this is that I just happened to stumble across a link to this post on another blog. Why not send out a note?

    ReplyDelete
  194. What lastpass should have done is open a window promting users to reset their password EVERYTIME they login to lastpass instead of disabling login alltogether!!

    ReplyDelete
  195. @Anonymous

    "I'm confused (and a paying subscriber)..

    Firstly I havent had ANY notification of this. OK I'm coming from a known IP Block.. but still I'd like to know!

    Secondly.. Why is my password anywhere near lastpass.com servers.. its supposed to be just stored locally?"

    I have also still not been either notified officially in anyway nor logged out (logging in with my old password works without any notifications as well).

    On your second point, however... The entire point of LastPass existing is that the data is stored on the LP servers. If you don't want this, I'd suggest uninstalling and switching to a local solution such as KeePass. That would however mean that you need to carry the file around with you (or store it online manually).

    ReplyDelete
  196. Mail a million+ members takes too long?
    Are you serious?
    You claim to have security in mind, but as a resolution to solve a security issue with everyone's master password you let the system send an email to their email. How many people do you think have a randomly generated password for their email accounts stored in Lastpass?

    Also, if my master account has been compromised.. how do I trust nobody has used it before you spotted the issue/attack? How can I trust ANY of my logons stored in your software to be secure still?!

    ReplyDelete
  197. I cannotchange my password.

    the entire procedure ends up with generic "error, please try again later" error.

    Its only thing it says after reencrypting and uploading my password files to your servers.

    THAT IS A HUGE ISSUE.

    ReplyDelete
  198. Same issue when changing master password, it uploads encrypted data then fails also when using lastpass extension in opera to sign into vault, it does for about 5 seconds then signs out again.

    ReplyDelete