It’s a bummer when your password service is breached. NOTE: Not that they were breached, LastPass is being pro-active.
The “last password youll ever need” now requires a reset: LastPass is forcing users of the password manager service to change the single master password they created for accessing websites, virtual private networks, and Web mail accounts via the tool. The move comes in response to the companys discovery of unusual network activity around one of its databases.
LastPass says it detected a “network traffic anomaly” in a non-critical server that led to the discovery of a similar problem with its database that houses email addresses and salted password hashes: more traffic was going out of the server than was going in. “Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transferred and that it’s big enough to have transferred people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs,” LastPass said in its company blog.
That’s some good internal forensics right there. We know they watch their logs!