LastPass has been subject to a serious hack attack. If you are getting errors where LastPass cannot log you in then your first step is to attempt a login via the plugin AND via the website immediately afterwards.
LP stated that significant traffic had left one of its primary servers – traffic that could have included the users’ email addresses, server salt and salted password hashes. Whilst this is often normal, LP couldn’t track down the root cause and elevated this to a high risk level.
As news filters in of the attack, people with LastPass accounts are hitting their servers trying to change their passwords. This is putting a huge strain on the LastPass servers and consequently they are trying to reduce the load while trying to keep security at a maximum.
You should change your LastPass master password if it is not a very secure one immediately. By not secure I mean anything from the dictionary or common passwords like Letmein, L3tM3In, abc123, pa55word etc. The reason for this is that the breach of LastPass’s security systems allowed an attack that could potentially “reverse” the encrypted password stored and generate your password to the attacker. This type of ‘brute-force’ attack works quickly on weak passwords but takes, months, years even decades depending on the complexity of a password. The best type of password contains a mixture of capital letters, numbers, non-alphabetical characters (!, *, $ etc) and is a minimum of eight characters in length.
LastPass have been proactive in this and immediately owned up to the event which I believe is admirable. The fact that they didn’t email every user is a failure though, even if they simply pointed people towards their website with an explanation.
For me, if the system has been breached and the cause unknown, asking for password changes is a very dubious course of action. LP have now changed the method so that you can temporarily authenticate a PC via an email link.
With some users getting a message like “Your account settings have restricted you from logging in from this mobile device.” they have had to resort to exporting contacts and deleting/recreating their LastPass account.
Comments?