Friday, May 6, 2011
Assuming 'The Worst,' LastPass Urges Password Change
In a reaction to Sony's network problems, password-management LastPass has assumed "the worst" from an unexplained network anomaly. As a result, LastPass required its millions of users to change their master passwords, but the response overloaded its servers. LastPass CEO Joe Siegrist admitted his response may have been "too alarmist."
It's the Age of Security Breaches. Password-management service LastPass said Thursday it may have been attacked, and the company issued a warning to users to change their master passwords.
On its company blog, LastPass said it noticed on Tuesday morning a "network Relevant Products/Services traffic anomaly for a few minutes from one of our noncritical machines." It said such anomalies "happen occasionally, and we typically identify them as an employee Relevant Products/Services or an automated script." LastPass provides cross-platform storage Relevant Products/Services of passwords.
'Going To Be Paranoid'
But, the company said, it couldn't locate the root cause for this anomaly. It then found a "similar but smaller matching traffic anomaly from one of our databases in the opposite direction," meaning traffic received by the server Relevant Products/Services.
Since it couldn't account for the issue, LastPass said it was "going to be paranoid and assume the worst" -- namely, that the database had been accessed.
The company said users who have a "strong, non-dictionary-based password or passphrase" shouldn't be impacted. If there is a threat, the company said, it's that someone will try to crack passwords using dictionary words.
But, to be safe, the company at first required all users to change their master passwords, and to do so either by using a previously used IP address -- meaning logging on from the same network connection as was previously used -- or validating an e-mail address.
The directive to its millions of users, however, overloaded the company's servers. To avoid overload, the company has allowed people to let the company know if their master password is non-dictionary-based and therefore not in need of changing, in addition to other ways of communicating with the company.
Possibly 'Too Alarmist'
LastPass CEO Joe Siegrist has told news media that he may have been "too alarmist" in his response. He indicated that the anomaly was the transfer of a substantial amount of data Relevant Products/Services between machines that wouldn't normally show such traffic.
But the continuing saga of Sony's networks has made companies very aware of the need to speedily respond to possible intrusions. Starting on April 20, Sony's PlayStation Network, Qriocity music service, and Sony Online Entertainment networks have been down because of what Sony has described as an "external intrusion."
Days after the initial outage, Sony revealed that confidential data from millions of users may have been taken -- possibly as many as 100 million users, which would make it the largest ID theft in history.
The size of the potential ID heist, and Sony's slow response in directly informing users, has elicited a storm of investigations and criticism. A congressional subcommittee, the New York attorney general, at least one U.S. senator, and a privacy official in Germany have either begun investigations or asked for more information, and at least two class-action suits have been filed.