Lastpass Possibly Hacked

[THAIPHUKET]

better not be cocksure about any security

http://goo.gl/IWpu3

[manarak]

...that stores passwords in the cloud

well, how dumb can users be ???

[Crushdepth]

The Lastpass thing sounds bad. If the attackers got the server salt as well they can run dictionary attacks against the hashes, and that will give them a large percentage of the master passwords.

You're far better off keeping your passwords locally in something like Password Safe.

[THAIPHUKET]

in above article it says that clients will be informed and asked to change their passwords.

I am testing LastPass only in selected cases.

1 I didn't get any direct info/warning from Lastpass about the problem. Did anyone else get one?

2. An indicator that the problem may be deeper is the fact the login server of LastPass does not respond, no automatic signing in into ThaiVisa

[THAIPHUKET]

INFO

LastPass Security Notification

Update 4, ~10pm EST:

Joe's interview with PCWorld covers more details on what happened, what our thought process has been, and what this means for our users: http://www.pcworld.com/article/227268/exclusive_lastpass_ceo_explains_possible_hack.html.

We continue to work as quickly as possible to address user support.

Update 3, ~4:30pm EST:

Logging in offline should be working everywhere if you have logged in using that client before, if you're having problems with this please attempt to login via the website: https://lastpass.com/?ac=1 that should now take you through an email process to enable your current IP.

If you're having problems getting your data with pocket, make sure you're selecting to login to the local file, not logging in at LastPass.com.

If you changed your password and are now having problems we'll help with that too, please email us if that's the case and include your LastPass email address.

For those who haven't been prompted, and have continued to use LastPass without issue -- we've judged the risk to be low if you're using the same IP -- we're only raising the issue once that changes.

Finally if you have issues with password changes please email us at [email protected], we can revert you, or we can pull data from backups, but please try LastPass Icon -> Clear local cache first.

Update 2, 2:15pm EST:

Record traffic, plus a rush of people to make password changes is more than we can currently handle.

We're switching tactics -- if you've made the password change already we'll handle you normally.

If you haven't the vast majority of you will be logged in using 'offline' mode so you can still use LastPass like normal and get back to your day, only syncing of new password should suffer (and you'll see the bar).

As load lowers we'll increase the percentage of people being sent through email validation / password changing.

For people experience problems please email us at [email protected] -- we have seen a few reports of bogus data post change, we think this is due to you downloading a stale copy and if you go to LastPass Icon -> Clear Local Cache and try again it should work.

You can access your data via LastPass in offline mode or by downloading LastPass Pocket : https://lastpass.com/misc_download.php (choose your OS).

[Crushdepth]

in above article it says that clients will be informed and asked to change their passwords.

Yeah but a lot of people won't login for some time. Some will have stopped using the service, some won't get or will ignore the warning notice etc etc.

[george]

This topic continues here:

LastPass hacked, users urged to change master passwords

Full story: