Password Manager Last Pass Possibly Hacked

Universal password via browser extension Last Pass has announced on its company blog that it might have been the target of a hacking attempt on Tuesday, as it experienced an unidentifiable anomaly in traffic.

From the Last Pass blog:

“In this case, we couldn’t find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server).

Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it’s big enough to have transfered people’s email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.”

Still unsure if this is actually an attack or who was responsible, Last Pass, (whose slogan is ironically “the last password you’ll have to remember!”) initially asked users to change their passwords. 

Because of traffic overload due to this breach news, it is now asking users to verify their emails and will be rolling out password changes as the traffic dies down: “We’re asking if you’re not being asked to change your password then hold off — we’re protecting everyone.”