LastPass Update: They're Under Attack, Too

Please see UPDATEs below.

Yesterday I mentioned that I'd found both convenience and (increased) security in the LastPass system for handling online passwords.

Late yesterday, LastPass announced that its engineers had detected a "network traffic anomaly" for which they could not immediately identify the "root cause." Then they found another small anomaly. As explained now on its blog:

"Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.

"If you have a strong, non-dictionary based password or pass phrase, this shouldn't impact you - the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing.

"To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP."

I am headed to an airport again and don't have time to explain "salted password hashes" etc just now. The take-home messages of the LastPass announcement are:
  a) All LastPass users will have to change their "master password," which is not that onerous -- and LastPass will check to be sure that the change is coming from a recognized address or user;

  b) People who choose "dictionary words" for their passwords -- ie, normal words that a hacker could just try at random, in a "brute force" attack, to see if one is accepted -- are at greater risk than those who mix the passwords up. The mixing up can include numbers, special characters, multi-word phrases, etc -- password construction is a topic for another time, but mainly this is a reminder not to have things like "password" or "123456" as your special phrase.

  c) At first glance, the company seems to be erring on the side of being quick; transparent (in explaining just what happened, and the risks); and protective of their users (better safe than sorry, so everyone must change their passwords now) in its response. Speed, transparency, and a tragic imagination about what might go wrong are very important elements of survival in the cloud era. Based on what I know now, and how the company has responded, I feel good about still using them as a password protector. We'll see what comes next.
UPDATE: from an airport, the comments on the LastPass site suggest a real range of experiences. Some users are reporting the problem mentioned in the email below: that after a user changes the master password, as now required by LastPass, all the other stored passwords are rendered into gibberish. Which is a whole new nightmare. Other users indicate no problems.  The note quoted below suggests making a local copy of all the stored passwords before doing anything with the LP account.  I can't vet or fully check this out at the moment, but in the spirit of real-time update, this is an important cautionary note. A reader writes:


 1.       They have a blog post about  a possible hack and advice they intend to give to warn people to change their master password

2.       I changed mine ahead of getting a note from them, though I may not have needed to (I use a Yubikey for 2 factor authentication). A harmless precaution I thought.

3.       As soon as I did so all of my records (hundreds) became complete gibberish

4.       I cannot even log into the support forum as I could - I'll have to create a new account

5.       But... others are posting the same problem

Looks like a disaster, and a great pity as this was working so well, so being deprived of it is a huge inconvenience.

I think the operative advice is to download all one's passwords before changing the master password. I don't keep my banking or other critical passwords online (I use and recommend KeepassX) and there's now a way of loading Lastpass passwords into this for safekeeping, which I haven't got around to yet.

I do have a backup stored in my own creation: a TiddlyFolio (a Tiddlwiki than can encrypt key data and which lives on a USB stick on my key ring):, but it's not as up to date as I'd like.<<

Some of the most recent comments on the blog itself have similar protective advice. We're all in the middle of figuring out the proper long-term cloud security protocols.

UPDATE^2: And a technically sophisticated user makes a case in support of LastPass's handling of the case and its long-term security. 

Presented by

James Fallows is a national correspondent for The Atlantic and has written for the magazine since the late 1970s. He has reported extensively from outside the United States and once worked as President Carter's chief speechwriter. His latest book is China Airborne. More

James Fallows is based in Washington as a national correspondent for The Atlantic. He has worked for the magazine for nearly 30 years and in that time has also lived in Seattle, Berkeley, Austin, Tokyo, Kuala Lumpur, Shanghai, and Beijing. He was raised in Redlands, California, received his undergraduate degree in American history and literature from Harvard, and received a graduate degree in economics from Oxford as a Rhodes scholar. In addition to working for The Atlantic, he has spent two years as chief White House speechwriter for Jimmy Carter, two years as the editor of US News & World Report, and six months as a program designer at Microsoft. He is an instrument-rated private pilot. He is also now the chair in U.S. media at the U.S. Studies Centre at the University of Sydney, in Australia.

Fallows has been a finalist for the National Magazine Award five times and has won once; he has also won the American Book Award for nonfiction and a N.Y. Emmy award for the documentary series Doing Business in China. He was the founding chairman of the New America Foundation. His recent books Blind Into Baghdad (2006) and Postcards From Tomorrow Square (2009) are based on his writings for The Atlantic. His latest book is China Airborne. He is married to Deborah Fallows, author of the recent book Dreaming in Chinese. They have two married sons.

Fallows welcomes and frequently quotes from reader mail sent via the "Email" button below. Unless you specify otherwise, we consider any incoming mail available for possible quotation -- but not with the sender's real name unless you explicitly state that it may be used. If you are wondering why Fallows does not use a "Comments" field below his posts, please see previous explanations here and here.


Cryotherapy's Dubious Appeal

James Hamblin tries a questionable medical treatment.


Confessions of Moms Around the World

In Europe, mothers get maternity leave, discounted daycare, and flexible working hours.


How Do Trees Know When It's Spring?

The science behind beautiful seasonal blooming

More in Technology

From This Author

Just In