Password storage service fears hack, 'forces' users to reset

Users of password storage service LastPass went into panic this week after the company said that its servers may have been hacked into. In a blog post, LastPass said that it had noticed a "network traffic anomaly" and "forced" users to change their master passwords as additional security. "We noticed an issue (Tuesday) and wanted to alert you to it. As a precaution, we're also forcing you to change your master password ... Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs," it said. Switching tactics But LastPass was overwhelmed by the rush of people tring to change their master passwords. The company noted "record traffic" in volumes that were "more than we can currently handle." On Saturday (Manila time), LastPass said it was "switching tactics" and allowing its users not to change their master passwords. "Currently we're not allowing users to change master passwords until our databases are completely caught up and we have resolved outstanding issues. We will update our users via the blog when it is possible to do so," it explained. An update said that LastPass had identified an "issue" with 0.5 percent of users that "impacted their master password change." Better to be paranoid than sorry "We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later," LastPass said. A message on LastPass' home page as of 9pm Friday (Philippine time) indicated it is still "experiencing extremely high load." LastPass CEO Joe Siegrist said that, while it is "highly unlikely" that hackers had gained access to the data of the company's millions of users, he did not want to take any chances. In an interview with PC World, Siegrist also said that while he may have been "too alarmist" in assuming the worst, he wanted to act quickly and make sure everyone was informed. 'Not much chance' that passwords were compromised Still, he said he believes there is "not much of any chance" that passwords users stored in their LastPass accounts could be compromised, at least for now. He added those with strong master passwords, especially passwords not based on dictionary words, have no reason to worry. "If you used a strong master password, even if anything had been taken, there shouldn't be any cause for concern. If you used a weak master password, there might be a little more risk, but it's kind of a one in a million kind of a risk based on the total amount of data that was transferred. If you used a weak master password, it's probably wise now to replace it with a strong one and look at your most critical sites--your banking, your e-mail--and think about changing those," he said. Requiring proof of identity He explained that, for now, LastPass is requiring every user to prove that they are coming from an IP that LastPass had seen them come from before, or to prove that they still have access to their e-mail. "We think by taking those steps, we're locking down any chance that somebody that guessed one of the master passwords would have any shot of getting in," he said. — TJD, GMA News