LastPass may have been hacked

In LastPass, a multiplatform online password manager, anomalous network traffic was detected, possibly due to a hacker attack. So, it would be better for service users to change their passwords.



LastPass, which positions itself as “the only password you need to remember,” is an extension for all popular browsers. It automatically fills out forms with previously saved data and at the touch of a button synchronizes personal data on different computers that you use.

')

The company's blog says that anomalous traffic was recorded on a non-critical server. Employees investigated this anomaly, but could not establish its cause. Then a stream of outgoing traffic from one of the closed databases was noticed. “Since we cannot explain the cause of the incident, you can consider us paranoid, but we assume the worst - to the data stored in this database, someone managed to get access”



It is known that the amount of stolen data was large enough, and it may well contain both e-mail addresses of clients and hashed passwords. However, it is reported that this volume was not so large as to harm all users, only a part was affected.



LastPass team strongly recommends changing the master password. In addition, they will carry out verification by verifying IP, or using mailbox authentication.



Although the scale of the losses is still unknown, for LastPass (named one of the best PCWorld 2009 programs), this situation may be an opportunity to test its new protection mechanism in practice: PBKDF2 (Password-Based Key Derivation Function) using SHA-256 on a server with 256 -bit encryption (100,000 cycles).



Against the background of recent events related to identity theft (the most prominent example is Sony and approximately 77 million affected PlayStation Network users), it’s even good that LastPass is suited to this “paranoid” thing.



UPD, thanks alesot



Now the service is experiencing emergency loads, so we intentionally connect you to offline mode.



Update 2 , 2:15 pm EST:



The record level of traffic, plus a huge number of people trying to change their password, exceeded our request processing speed.



We change tactics - if you have already changed your password, your request will be processed as usual.



If you have not yet changed your password, your request will be processed offline, so you can still use LastPass as usual. Only password synchronization will suffer. You will see a warning panel.



As soon as the load decreases, we will increase the percentage of requests for changing the password / checking the e-mail sent for processing.



For those who have any problems, email us at support@lastpass.com

We have seen several messages about failed password changes, we think that this is due to downloading the old version.



Click on the LastPass-> Clear Local Cache icon and try again, it should work.