Saturday, May 7, 2011

Possibly CRITICAL security breach - out of paranoid concern. LastPass.com security breached.

www.LastPass.com is overwhelmed with traffic right now, won't allow you to change your password.

They act out of utmost paranoid security concern, breach has not been verified 100%, but is likely.

Once you can, change your password.

LastPass forcing members to change passwords | Security - CNET News

Based on the information presented in their blog post, there’s a couple potential scenarios here, each with a varying degree of severity and likelihood:
  • Nothing happened. (unlikely)
  • LastPass was compromised and had their master password database exfiltrated. (likely)
  • LastPass was compromised and had both the master password database and encrypted blobs exfiltrated. (possible)
  • LastPass is *still* owned and everyone resetting their master passwords just gave the attackers access to the encrypted blobs that may have been exfiltrated. (scary, but unlikely)
In my personal opinion, I would move forward with the assumption that LastPass was indeed compromised and that the master password database was successfully exfiltrated.




similar website allowing automatic logins and storing your passwords in the cloud is www.RoboForm.com

Passwords are always stored scrambed, but the problem is a master password, of which a breach will allow access.

No comments:

Post a Comment