Vulnerability in LastPass online password manager-Reset master password

May 6, 2011 | by

Another reason to keep my passwords with me, yes with me only. Lastpass, one of the leading online password management providers issued an emergency security notification which forces their users to change the master password. This was due to a suspected database vulnerability. While inspecting the logs, LastPass found some unnatural activities in their database. On analysis found that one of their databases’ outward traffic was much greater than the inward traffic. The official blog post says

….we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.

This compelled them to believe some security holes in their database and force the users for master password change. This announcement created more panic and Lastpass servers couldn’t handle the sudden traffic due to the mass master password reset. Within hours they updated

Update 2, 2:15pm EST:
Record traffic, plus a rush of people to make password changes is more than we can currently handle.
We’re switching tactics — if you’ve made the password change already we’ll handle you normally.If you haven’t the vast majority of you will be logged in using ‘offline’ mode so you can still use LastPass like normal and get back to your day, only syncing of new password should suffer (and you’ll see the bar).

Millions of users are using Lastpass online password data manager application  over years because of security and flexibility factors. Moreover they offer free as well as paid services which was praised by popular bloggers and IT magazines. Last pass apologizes for the inconvenience caused but this incident put a big question mark on the claimed security features of online password managers. Commendable thing in this issues is  the transparency of  LastPass as said Mashable but this may not be sufficient to calm down the annoyed Lastpass users , roaring comments in their blog underline this.


View all

view all