Nov 8, 2012

Use Twitter? Time to Change Your Password.

Update: Twitter has now confirmed in a blog post that it was a technical error, rather than an issue of compromised accounts, indicating that "In this case, we unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised. We apologize for any inconvenience or confusion this may have caused." We apologize for any alarm caused by our post in our effort to alert users to any potential threats.

Reports are now circulating that Twitter may have been hacked. Although no official statement has been made by Twitter at this time, a large number of users are already being forced to go through a password reset process following reports of compromised accounts with spammy posts and DMs.

For those whose accounts appear to be affected, Twitter is forcing you to submit one of three pieces of personal information when attempting to login - your phone number, email address, or Twitter handle. After providing the data, a password reset email is immediately sent to the user:

The email contains a link to a page where you can create a new password, although it doesn't request the old password or require you to enter the new password twice. It does seem phishy, but from what we can see, if you're forced to go through this process you can't log back in to your account until you follow these steps.

Details are still emerging about the situation and whether it's truly a "hack", but we highly recommend that all users update their Twitter passwords. Use LastPass to login, and update your Twitter password with a new one generated by LastPass. Run the LastPass Security Check (located in the Tools menu of the browser addon) to check if you are re-using your Twitter password on other sites. If you are, we highly recommend you change those as well.

Because no official dump of user's passwords has been reported, LastPass Sentry will not currently alert you if you have been affected. If you're new to secure password management, get started today by downloading LastPass, creating a free account, and updating your passwords to secure, generated ones.

We'll keep you posted on any further updates that emerge.

5 comments:

  1. Could you take this opportunity and fix the way plugin (specifically Chrome plugin) interacts with Twitter's change password form. It does not currently notice that password has been changed, and during the change it insist on filling in the 'old password' field with newly generated password.
    Thanks!

    ReplyDelete
    Replies
    1. And while you're at it, is there anyway to add support for the Chrome TweetDeck extension? LastPass's non-support of this is the only thing keeping me from using a generated password with Twitter.

      Delete
    2. Thanks, we'll add it as a bug fix for the dev team!

      Unfortunately LastPass can't see into other extensions, the only option is to copy-paste, you can use the "copy password" shortcut from the LastPass Icon > Sites > Group > Site menu to paste it into the appropriate field.

      Delete
  2. Hi, I read this recent article from a presentation in the last BlackHat Conference and their conclusions about the LastPass iOS app kinda scared me. http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf Do you guys recognize that what was said is true? If so, are there any plans to fix it?

    ReplyDelete
    Replies
    1. There was a major issue with their analysis regarding LastPass - they indicated that we used 1 round of hashing when calculating the key, but we have been defaulting to 500 rounds for new accounts for some time prior to this. The researchers involved may have created their accounts before this went into place for new accounts but had they contacted us we would have clarified this.

      For more information, please see: http://helpdesk.lastpass.com/security-options/password-iterations-pbkdf2/

      We are somewhat unique in that we expose this setting to the user, so they can determine how many rounds of hashing they want. We have also built our system so it is easy for us to increase this number as the hardware continues to improve.

      Delete