An outfit which offered to protect people’s password from hacking appears to have been, er, hacked.
The CEO of password management company LastPass Joe Siegrist, said that it was highly unlikely hackers gained access to his millions of users’ data, however he is warning people to change their passwords just in case,
Chatting to PCWorld, Siegrist said that LastPass noticed a “network traffic anomaly” and implemented additional security as a result.
He thinks he might have been “too alarmist” in assuming the worst, but that he wanted to act quickly and make sure everyone was informed, even if it stuffed up his company’s image
What Siegrist’s security team noticed was a traffic spike at a time when machines should not have been transferring a lot of data between each other.
He said that it made him a little nervous and antsy, so he thought the best idea would be to run through the worst possible scenario. That’s even if there was no supporting evidence that anything dodgy had occurred.
There was not a lot of data which could have been taken, but enough to cover people’s usernames and encrypted passwords.
Siegrist believe’s that’s just about enough to set up a potential attacker. The idea is they could comb for weak master passwords without having to directly attack the servers.
The machines involved have the users’ encrypted blob data as well as the data for their usernames, their password hashes, and the salt for those hashes. Only a couple hundred blobs could have been taken, we hear.
If a strong master password had been used then there was very little reason for users to be worried.
Even if users used a weak master password, there might be a little more risk, but it’s kind of a one in a million kind of a risk based on the total amount of data that was transferred.
Users with weak passwords have been asked to beef them up,