Data breach at cloud password manager overwhelms servers
After noticing some network anomalies on that day, LastPass — a service for storing user names and passwords online — advised its users to change their master passwords. The master password is used to access all the passwords stored in a user's account.
"After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server)," the LastPass crew explained in the company's blog. "Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed."
In addition to forcing all its users to change their master passwords, the crew also required its customers to either assure they're logging in from an IP block they've used before or by validating their email addresses. The idea was that if a malcontent had compromised a password through a brute force dictionary attack, they still wouldn't have the email or IP address associated with the account.
"We realize this may be an overreaction and we apologize for the disruption this will cause, but we'd rather be paranoid and slightly inconvenience you than to be even more sorry later," the crew noted.
LastPass could not avoid sorrow, however. Its action was the equivalent of shouting "fire" in a crowded theater. "Record traffic, plus a rush of people to make password changes is more than we can currently handle," it confessed a few short hours after it sounded its alarm.
Although it initially informed its customers that if they had a strong, non-dictionary password, they would not have to change their master password, it treated customers with strong passwords the same way it treated those with weak ones. That is, the only way they could access their accounts was change their master passwords.
Two days after it aired the announcement of the data breach, though, it saw the error of its ways. "We've added the option for you to say that you know your master password is strong and to avoid password change, we apologize for not having that available when we announced," the company blogged.
At this point, LastPass — whose motto is "The Last Password You'll Have To Remember"— believes most of its users' information is safe. Asked by PCWorld if there was any chance that users' data had been compromised, LastPass CEO Joe Siegrist replied:
"We don't think there's much of any chance of that at this stage. If there was, it would be on the orders of tens of users out of millions that could be in that scenario, just because of the amount of data that we saw moved. But it's hard for us to be 100 percent definitive without knowing everything."