One of the most popular password security companies just admitted it was hacked


Userlevel 7
Badge +54
15th June 2015  By Cale Guthrie Weissman
 
LastPass, a popular password manager program, just admitted it's been hacked.
 
In a blog post published today, LastPass’s Joe Siegrist writes, "The investigation has shown ... that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."

 
Full Article
 
Am I right in assuming that this will have NO impact on us @
 

12 replies

Userlevel 7
Badge +56
Yeah we saw this article and we're checking with LastPass right now to see what the impact is and what, if anything, Webroot customers need to do.
Userlevel 7
Badge +54
@ wrote:
Yeah we saw this article and we're checking with LastPass right now to see what the impact is and what, if anything, Webroot customers need to do.
Thank you Nic. Hopefully it is just a case of changing the master password.
Userlevel 7
Badge +54
By Joe Siegrist June 15, 2015
 
We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
 
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
 
Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.
 
Full Article
Userlevel 7
Badge +54
Brian Krebs take on it with a bit information.
 
16th June 2015.
 
http://krebsonsecurity.com/wp-content/uploads/2015/06/lastpass-580x132.png
 
Parsing LastPass’s statement requires a basic understanding of the way that passwords are generally stored. Passwords are “hashed” by taking the plain text password and running it against a a theoretically one-way mathematical algorithm that turns the user’s password into a string of gibberish numbers and letters that is supposed to be challenging to reverse. 
 
The weakness of this approach is that hashes by themselves are static, meaning that the password “123456,” for example, will always compute to the same password hash. To make matters worse, there are plenty of tools capable of very rapidly mapping these hashes to common dictionary words, names and phrases, which essentially negates the effectiveness of hashing. These days, computer hardware has gotten so cheap that attackers can easily and very cheaply build machines capable of computing tens of millions of possible password hashes per second for each corresponding username or email address.
 
But by adding a unique element, or “salt,” to each user password, database administrators can massively complicate things for attackers who may have stolen the user database and rely upon automated tools to crack user passwords.
 
Full Article
Userlevel 7
Badge +34
Can't find it mentioned before, but Last Pass has been hacked and they are recommending that master passwords be changed.
Could be relevant for Rooters.
http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571
 
Userlevel 5
Was this issue isolated to LastPass servers, or does/did Webroot face the same issue as it appears to use a password manager derived from LastPass?
 
Also, is the technology licensed from LastPass, and Webroot hosts their own servers, or is there some tighter intergration with LastPass?
Userlevel 7
Badge +56
Stay tuned - I should have more info shortly.
Userlevel 7
As far as I could understand from the article by Joe Siegrist, users with weak master passwords should immediately change their master passwords. Users with strong master passwords should be fine.
Userlevel 7
Badge +56
Thanks for your patience everyone.  Here's our official statement on the situation:
 
Webroot has been made aware of an apparent security incident with our password management provider, LastPass. Please see the announcement from LastPass available here: https://blog.lastpass.com/2015/06/lastpass-security-notice.html/. LastPass has informed Webroot that Webroot customer data or information of any kind was not exposed as a result of the incident . Webroot will be closely monitoring the situation, and if we feel any changes are necessary, we will inform you and tell you (i) what to do, and (ii) about changes, if any, we have made in response.
 
When situations like this occur, it is a good reminder to take a look at each of your personal security practices and consider whether any of them could be updated to provide better security.  For example, if any of your passwords should be strengthened, this may be the time to update them.
Please allow me to throw my two cents in here if I may. I agree with NIC completely about re-evaluating our own personal security protocol's. And his mentioning of strengthening personal passwords is a no brainer. Being in the security field for 2 decades I can only say that making passwords as hard as possible is a great deterrent to hackers. The use of upper/lower case letters, numbers, wildcards and actually making the password complete nonsensical in nature will deter most hardened hackers. 
 
With the above said I also want to state that this was in NO way preventable from a users standpoint. This was the complete failure of the company storing passwords. Their lack of due diligence has now caused many users across many different company's to change passwords and to "Worry" about data compromise. Over the last few years several company's and government agency's have fallen victim of these hackers because the security people become complacent and don't force change. 
 
I think what all users must understand is that NO system is perfect and there is NO SUCH THING as a 100% secure setup. Just ask the Department of Defense or FBI about that. However what we as security experts have learned is that we need to alter our security patterns virtually daily and to enforce not only strict enforcement but to also enforce strong security protocol's.
 
In closing out my rant for today I would strongly suggest to Webroot to make a blanket forcing of all passwords. I understand that no Webroot user info was compromised as per LastPass, but would it not be a wise move to be on the proactive side instead of the reactive side of it?
Userlevel 7
Badge +3
 Security researchers Alberto Garcia and Martin Vigo will demonstrate attacks on the popular online password management service LastPass at the Blackhat Europe 2015 conference in November.  
 
 http://www.ghacks.net/2015/09/15/researchers-to-reveal-critical-lastpass-issues-in-november-2015/
 
Userlevel 7
Badge +34
That sounds interesting Dermot - and very scary. Makes me glad I have all my passwords secured locally with KeePass! 😃

Reply