LastPass Security Notice

Update: July 10, 2015 @ 8:00 PM EST

Thank you for taking the time to read our posts and follow our recommended actions after the recent events. Behind-the-scenes, our response has been ongoing. As we mentioned before, we’ve engaged security experts and firms to help us, and we’re working with the authorities to take the appropriate actions.

These events have put our systems to the test, and we’re more secure as a result. Security is an ongoing back-and-forth. We make advancements, and the bad guys do, too. The work is never done here at LastPass. It’s constantly evolving, so it’s important to stay ahead of the game. And when we’re put to the test, we can point to what worked in our model, and evaluate how to secure our fortress going forward.

For example, this event has advanced our timeline for implementing Hardware Security Modules (HSMs), which are now in use. These are designed to protect the cryptographic infrastructure of LastPass. HSMs are used by some of the most security-conscious organizations in the world for managing, processing, and storing cryptographic keys. They are hardened, tamper-resistant devices. All that’s to say, we’re utilizing new, advanced technology to make our solution even more resilient and secure.

We’ve implemented dozens of other changes, large and small, to strengthen our systems and improve the service going forward. We’ve opened up a paid bug bounty program to source security improvements from the research community. We’re adding scrypt as an additional layer to strengthen the authentication hashes server-side, adding further protection against large-scale brute-force attacks.

We have also continued to expand our capacity for larger-scale events like this one. We are designing for better messaging within the service, simplifying session management, and adding more comprehensive device history, all of which help our users be more proactive and informed. Password hints are now optional, too, and a policy to disable them is being added to the LastPass Enterprise Admin Console.

We prioritized disclosing what happened and all of our actions have centered around keeping you and your data secure. Going forward, we don’t want to lose sight of the ever-growing need for password managers like LastPass. Managing strong, complicated, difficult-to-remember passwords is challenging when you also need to use a different password everywhere. For most of us, we simply can’t practice good password security without a safe tool to help. Password managers are the most efficient way to generate strong passwords for every website, remember those passwords, and backup and sync those passwords securely.

We build a service that is constantly put to the test, and improves as cybersecurity threats change. And we never stop advancing our systems as new technology comes available. All of our resources are invested in building a secure service and putting it to the test, so that together we can keep our identities and our data safe.

Joe Siegrist
& the LastPass Team

 

Update: June 16, 2015 @ 4:10 PM EST

We appreciate the patience and support from our community after yesterday’s announcement. As expected, we work tirelessly to make sure that your data is safe. That’s why we quickly detected, contained, evaluated the scope of the incident, and secured all user accounts. We want to assure our users that our cyberattack response worked as designed.

We’ve received many questions so we want to take a moment and provide additional clarification:

Was my master password exposed?
No, LastPass never has access to your master password. We use encryption and hashing algorithms of the highest standard to protect user data. We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that we can perform an authentication check as the user is logging in. We then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in our database. In layman’s terms: Cracking our algorithms is extremely difficult, even for the strongest of computers.

Am I at risk if I have a weak master password?
An attacker could try to guess your master password, then use your per-user-salt and authentication hash to determine if their guess was correct. Typically, an attacker would try a list of commonly-used passwords or dictionary words (such as 12345678, password1, mustang, robert42, iloveyou). They would have to do this for you specifically, since your “per-user” salt is unique to your account . Because your password is hashed thousands of times locally, and this hashed value is again hashed 100,000 times before being stored server-side, guesses will be very slow. If your master password is weak or if your password reminder makes it easy-to-guess, then the attacker could significantly reduce the number of attempts needed to guess it correctly. Then the attacker would have your master password, but not your data, since your data vault was not exposed. If the attacker attempted to get access to your data by using these credentials to log into your LastPass account, they’d be stopped by a notification asking them to first verify their email address.  We require this security measure for any attempt to access your vault from a new device/location, unless you have multifactor authentication enabled.

Were passwords or other data stored in my vault exposed?
No, your data is safe. Encrypted user vaults were not compromised, so no data stored in your vault is at risk (including form fill profiles, secure notes, site usernames and passwords). However if you used your master password for any other website, we do advise changing it – on LastPass as well as on the other websites. Note that you should never reuse passwords – especially your LastPass master password!

What should I do now?
Our security and processes worked as designed, and customer data was, and is, protected. Because we are requiring verification for any new IP address or device, your account is secure. You will be prompted to update your master password when you login. Not all users will see the prompt immediately, but your account is safe and you can update when prompted. For added security going forward, we recommend enabling multifactor authentication. Also, be wary of phishing emails asking you to disclose your master password, payment information, or any other personal information. Never, ever disclose your master password or any confidential information, even to someone claiming to work for LastPass.

Why did I hear about this in the media first?
Emails have been sent to all users regarding the security incident. Notifying millions of users via email takes time. Therefore, we also announced the security alert to our blog and our social accounts in real-time, and the media quickly picked up the story.

I reset my master password, but now I can’t get in!
If you forgot or mis-typed your new master password, please revert your change: https://lastpass.com/revert.php and login again with the previous master password. Then you can try another change (and be careful of typos!).

I don’t remember my old master password.
Please try password recovery: https://lastpass.com/recover.php on a browser where you’ve used LastPass before. For more information about account recovery, see: https://helpdesk.lastpass.com/account-recovery/

 

June 15 ,2015 @ 12:28 PM EST

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.

Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled.

An email is also being sent to all users regarding this security incident. We will also be prompting all users to change their master passwords. You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites.

Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.

Security and privacy are our top concerns here at LastPass. Over the years, we have been and continue to be dedicated to transparency and proactive measures to protect our users. In addition to the above steps, we’re working with the authorities and security forensic experts.

We apologize for the extra steps of verifying your account and updating your master password, but ultimately believe this will provide you better protection. Thank you for your understanding and support.

Joe Siegrist
& the LastPass Team

1,424 Comments

  • Tony says:

    First, thanks for the way you handled this. I see some have been inconvenienced but for the majority (like me) you responded appropriately.

    Second, a question. I’ve seen a report that the attack involved multiple “sophisticated” persons. Be that as it may, I assume that breaking into your system to obtain the account information mentioned was not easy. (Correct me if I’m wrong!) In particular I wonder if the attack displayed the sort of sophistication one might expect of a well resourced organisation – even a government organisation.

    • Tom says:

      I am disappointed that I was not notified by email. Does it take 13 days to notify or are you hiding it from end users? I don’t buy it.

      Quoted from above
      Why did I hear about this in the media first?
      Emails have been sent to all users regarding the security incident. Notifying millions of users via email takes time. Therefore, we also announced the security alert to our blog and our social accounts in real-time, and the media quickly picked up the story.

  • Ray Foulkes says:

    Some genius at Lastpass decided to use mail to validate a sign-in location. Great except I use Lastpass to keep my email password. Since I need email to log in to Lastpass and Lastpass to log into email, that all becomes a little difficult. AAAARRRRRGGGHHHH.

  • Ellen Rich says:

    Help, in changing master passwords and then logging into site the site no longer recognizes me with old or new info. I have tried this 4 times so I am turning to you. I turned in a support ticket but there was no button to push submit, so did it go in? How do I enter and log a support ticket? I have spent about 4 hours on this and I have no more tricks up my sleeve. I am a paid subscriber at Premium..
    Ellen

    • BenB says:

      Ellen try changing browsers if using Apple safari, download and install firefox For som reason I have found safari has issues with flash based sites. I had the same issue (on a different matter) and the submit button displayed in firfox.. I have also seen this happen with other sites..

  • Petr L says:

    This is sad news. I hope nothing happened :). I was very satisfied with the service LastPass.

  • Anonymous says:

    Still no E-mail notifying me of this. Does that mean I am not impacted?

    • Anatoly_LP says:

      All the emails should have been sent, maybe it went to your spam box? In any case, please follow the recommendations just to be safe: change your master password, and set up multifactor authentication on your account.

      • Anonymous says:

        Nope never got one I check my junk mail everyday. I have lastpass on safe senders list. Last Email I have is from April when I went premium

  • Joanne says:

    This is horrible for a company like this. embarrassing and unbelievable any sort of breach would happen to a password manager. when I google lastpass the first thing that comes up is about their breach. nice publicity lastpass…really? not one but two breaches in 3 years!!! ININSTALLING IT NOW ON MY COMPUTERS AND MY FRIENDS

    • Chris says:

      I dunno… considering a company such as LastPass automatically has a big fat Hacker Target on their backs, 2 breaches in 3 years, with ZERO compromised critical data seems like a pretty awesome record to me.

    • mariner says:

      Bye Darling!