LastPass Security Notice

Update: July 10, 2015 @ 8:00 PM EST

Thank you for taking the time to read our posts and follow our recommended actions after the recent events. Behind-the-scenes, our response has been ongoing. As we mentioned before, we’ve engaged security experts and firms to help us, and we’re working with the authorities to take the appropriate actions.

These events have put our systems to the test, and we’re more secure as a result. Security is an ongoing back-and-forth. We make advancements, and the bad guys do, too. The work is never done here at LastPass. It’s constantly evolving, so it’s important to stay ahead of the game. And when we’re put to the test, we can point to what worked in our model, and evaluate how to secure our fortress going forward.

For example, this event has advanced our timeline for implementing Hardware Security Modules (HSMs), which are now in use. These are designed to protect the cryptographic infrastructure of LastPass. HSMs are used by some of the most security-conscious organizations in the world for managing, processing, and storing cryptographic keys. They are hardened, tamper-resistant devices. All that’s to say, we’re utilizing new, advanced technology to make our solution even more resilient and secure.

We’ve implemented dozens of other changes, large and small, to strengthen our systems and improve the service going forward. We’ve opened up a paid bug bounty program to source security improvements from the research community. We’re adding scrypt as an additional layer to strengthen the authentication hashes server-side, adding further protection against large-scale brute-force attacks.

We have also continued to expand our capacity for larger-scale events like this one. We are designing for better messaging within the service, simplifying session management, and adding more comprehensive device history, all of which help our users be more proactive and informed. Password hints are now optional, too, and a policy to disable them is being added to the LastPass Enterprise Admin Console.

We prioritized disclosing what happened and all of our actions have centered around keeping you and your data secure. Going forward, we don’t want to lose sight of the ever-growing need for password managers like LastPass. Managing strong, complicated, difficult-to-remember passwords is challenging when you also need to use a different password everywhere. For most of us, we simply can’t practice good password security without a safe tool to help. Password managers are the most efficient way to generate strong passwords for every website, remember those passwords, and backup and sync those passwords securely.

We build a service that is constantly put to the test, and improves as cybersecurity threats change. And we never stop advancing our systems as new technology comes available. All of our resources are invested in building a secure service and putting it to the test, so that together we can keep our identities and our data safe.

Joe Siegrist
& the LastPass Team

 

Update: June 16, 2015 @ 4:10 PM EST

We appreciate the patience and support from our community after yesterday’s announcement. As expected, we work tirelessly to make sure that your data is safe. That’s why we quickly detected, contained, evaluated the scope of the incident, and secured all user accounts. We want to assure our users that our cyberattack response worked as designed.

We’ve received many questions so we want to take a moment and provide additional clarification:

Was my master password exposed?
No, LastPass never has access to your master password. We use encryption and hashing algorithms of the highest standard to protect user data. We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that we can perform an authentication check as the user is logging in. We then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in our database. In layman’s terms: Cracking our algorithms is extremely difficult, even for the strongest of computers.

Am I at risk if I have a weak master password?
An attacker could try to guess your master password, then use your per-user-salt and authentication hash to determine if their guess was correct. Typically, an attacker would try a list of commonly-used passwords or dictionary words (such as 12345678, password1, mustang, robert42, iloveyou). They would have to do this for you specifically, since your “per-user” salt is unique to your account . Because your password is hashed thousands of times locally, and this hashed value is again hashed 100,000 times before being stored server-side, guesses will be very slow. If your master password is weak or if your password reminder makes it easy-to-guess, then the attacker could significantly reduce the number of attempts needed to guess it correctly. Then the attacker would have your master password, but not your data, since your data vault was not exposed. If the attacker attempted to get access to your data by using these credentials to log into your LastPass account, they’d be stopped by a notification asking them to first verify their email address.  We require this security measure for any attempt to access your vault from a new device/location, unless you have multifactor authentication enabled.

Were passwords or other data stored in my vault exposed?
No, your data is safe. Encrypted user vaults were not compromised, so no data stored in your vault is at risk (including form fill profiles, secure notes, site usernames and passwords). However if you used your master password for any other website, we do advise changing it – on LastPass as well as on the other websites. Note that you should never reuse passwords – especially your LastPass master password!

What should I do now?
Our security and processes worked as designed, and customer data was, and is, protected. Because we are requiring verification for any new IP address or device, your account is secure. You will be prompted to update your master password when you login. Not all users will see the prompt immediately, but your account is safe and you can update when prompted. For added security going forward, we recommend enabling multifactor authentication. Also, be wary of phishing emails asking you to disclose your master password, payment information, or any other personal information. Never, ever disclose your master password or any confidential information, even to someone claiming to work for LastPass.

Why did I hear about this in the media first?
Emails have been sent to all users regarding the security incident. Notifying millions of users via email takes time. Therefore, we also announced the security alert to our blog and our social accounts in real-time, and the media quickly picked up the story.

I reset my master password, but now I can’t get in!
If you forgot or mis-typed your new master password, please revert your change: https://lastpass.com/revert.php and login again with the previous master password. Then you can try another change (and be careful of typos!).

I don’t remember my old master password.
Please try password recovery: https://lastpass.com/recover.php on a browser where you’ve used LastPass before. For more information about account recovery, see: https://helpdesk.lastpass.com/account-recovery/

 

June 15 ,2015 @ 12:28 PM EST

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.

Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled.

An email is also being sent to all users regarding this security incident. We will also be prompting all users to change their master passwords. You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites.

Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.

Security and privacy are our top concerns here at LastPass. Over the years, we have been and continue to be dedicated to transparency and proactive measures to protect our users. In addition to the above steps, we’re working with the authorities and security forensic experts.

We apologize for the extra steps of verifying your account and updating your master password, but ultimately believe this will provide you better protection. Thank you for your understanding and support.

Joe Siegrist
& the LastPass Team

1,424 Comments

  • I think a postmortem of what happened should be released versus this vague post which doesn’t tell us much
    about the activity and how your systems were compromised.

    We pay you to keep your systems secure!

    • But thats none of my business... says:

      Postmortems take SIGNIFICANTLY longer than 2 days. Be glad they admitted anything at this point.

  • Are your comments set up to block any mention of alternatives? I think it’s only fair to recommend a safe alternative to users who have already decided that they want to switch.

  • Ken Newton says:

    More transparency please. Public post-mortem is a really good idea here…

    • Amber Gott says:

      Thanks Ken, we have before and will likely do so when appropriate as the investigation continues.

    • Anders says:

      Last time there was an incident, they posted a detailed account of what happened. But they do need time to investigate and make sure what they say is what really went down. 3 days is not a lot of time, if you want to investigate something that is more advanced than what some scripkiddies can hack together.

  • Paranoid says:

    I gonna go back to witem down keep it in a safe, bye lastpass.

  • Megan S says:

    I just found out about this via twitter by accident. When are you going to notify users officially?

  • jcII says:

    Every time I try to change my master password I get a generic error that it failed, to try later.

    • Amber Gott says:

      We’re having trouble reproducing this at the moment, if you continue to see this after waiting a few minutes and trying again please let us know. Our team can also be reached here: https://lastpass.com/supportticket.php for any ongoing issues.

      • Phil says:

        I believe you’re running into issues of the errors please try again later… because you have it open in another place.
        Until you’ve logged off of ALL of your sessions, you’re going to keep getting that error. I.E. iPhone App, I had to reboot that POS because I can’t kill processes like one can on an Android… guess what my next phone will be?

        • Martijn says:

          You can close iOS apps by opening the multitasking screen (double-click on home button) then swiping up any app you want to explicitly close. In my experience this will terminate any 3rd party app and a reboot will not be needed.

    • G says:

      Same here – can’t change my password. Using latest Chrome and the page just hangs when I click change or I get a vague error message 20-30 seconds later.