Popular web-based password vault LastPass is forcing thousands of users to change master passwords following a potential data breach.
The respected security service warned users via email that it detected “an anomaly” in network traffic which it said may be a result of the theft of email address and passwords from its network.
LastPass is billed as “the last password you’ll ever need” because it stores online identities protected by a master password.
A slight increase in outbound traffic was detected from a non-critical server and separately from a database which the company said could not be explained.
“In this case, we couldn't find that root cause,” it said in an email. “…we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed.”
The company said it knows “roughly” how much data was transferred which is “big enough to have transferred people's email addresses, the server salt and their salted password hashes from the database”.
It is not enough to move whole encrypted password vaults, the company said.
Users must also either login to the service through a previous IP address block or by validating the used email address.
“The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.”
Brute force attacks would be required to break the salted passwords.
“In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we'll continue to find ways to reduce how large a target we are.”
Users locked out of their email accounts, if for instance they relied on LastPass to log in, can use any of the multiple LastPass plugins in offline mode using their existing master password.
The company has bucked the trend by disclosing the anomaly, the risk of a data breach, and taking long-term steps to strengthen security.
Meanwhile, Sony and email provider Epsilon were chastised for lax disclosure efforts after they were each hit with massive data breaches.