On May 4th, the Lastpass blog posted the following notice (see link for full post):
We noticed an issue yesterday and wanted to alert you to it. As a precaution, we’re also forcing you to change your master password.
We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.
In this case, we couldn’t find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs…
On the same post, many commenters aren’t happy.
This is very disturbing. Whilst it may well be overkill and paranoia, the fact that attempts and anomalies are being logged doesn’t make one confident in storing their data with LP :(
LP have continually dismissed independent auditing. I ask now…isn’t it time you gave in and let a 3rd party audit you so you can find these things such as “server open to UDP more than it needed to be”??
Seriously dude, this is bad stuff. I’m locked out of ALL my different accounts, and it isn’t accepting my lastpass master passphrase. I guess I learned my lesson here. There is no way in hell that I’m storing my important logins/passwords in the cloud again.
A lot of us are effectively shut out from our own information for the time being. It’s not mere inconvenience if there is urgent matter at hand for a customer.
And of course there are many more. I understand what these people are trying to say. It’s annoying that this service , of all services, would have issues. The cloud as we know it is new and there are new issues to deal with. So I understand where these people are coming from. However.
If you’re using LastPass and you discovered it on your own, you’re probably geeky enough to take the next logical prudent steps. What steps? Every Tuesday, I have a special day that I download and make backups of everything I own. That includes: my email, my calendar, my drive files, my LastPass, my kindle books, my music, all of my blogs, my bookmarks and so much more. Every Tuesday. My calendar alerts me and I generally get it all saved away before 8pm. It’s not that hard.
Let’s focus on LastPass though since the concern. I backup my LastPass account in the following way. I have two flash drives. I plug both in and I use the aforementioned LastPass Pocket. Essentially, I log in and ask Pocket to grab my blob by the LastPass servers. Then, once loaded, I go to
File - Export and save the blob in the same LastPass folder on my flash drive. I then close Pocket and attempt to load the blob from the flash drive to ensure it works. If it does, I repeat the process for the other drive. I have two discrete copies of my LastPass blob on two different physical devices.
Sounds like a lot of work? It’s not really. These things happen and one day I might be without internet access but I might need to give someone my password for something. It’s all on the drive ready to go. I keep one with me and one at home. It’s that easy. The passwords are always at most a week out of date. I never thought it would happen but I knew it could. That’s the point. I think most people using LastPass are wise enough to understand this. I hope.
Another sentiment is about the email verification method.
Bastards! How the hell can I login to my email without the “one password”? The disconnect the internet hack doesn’t work on any of my extensions and pocket won’t let me login because of an IP change. In case you haven’t figured out, some of us have dynamic IPs that change every now and then.
Okay. So you’re telling me that you used LastPass to generate a insanely secure password but did not write it down for your master email account? Seriously. Good move there. I wrote down four passwords that I generated with LastPass. These are all on a tiny unlabeled piece of paper stashed in a night stand. Gmail, my bank, 1and1 account and LastPass itself. None of them are labeled and look very much like gibberish. I trust LastPass and all, but there is no way I trust one single method to access my master email account. Without that, I really have no recourse – not just for resetting LastPass, but for doing anything at all.
This has been quite a rant. LastPass’ post reports that there may have been a breach, but it’s only passwords that are weak that are vulnerable: like all passwords. The moral of story – assume nothing is infallible, always backup, be prepared and accept whatever comes down the pipe.