Exclusive: LastPass CEO Explains Possible Hack
The company's CEO talks exclusively with PCWorld about a possible breach into its password storage service, what went down, and how worried its millions of users should be.
By JR Raphael, PCWorld
The CEO of password management company LastPass says it's highly unlikely hackers gained access to his millions of users' data--but that he doesn't want to take any chances.
Speaking exclusively with PCWorld, LastPass CEO Joe Siegrist explained how his company came to the conclusion that its servers, which provide cross-platform password storage for millions of customers, may have been accessed by an outside party. Just one day earlier, LastPass announced via its blog that it had noticed a "network traffic anomaly" and was implementing additional security as a result.
Siegrist now says he may have been "too alarmist" in assuming the worst, but that--even if it ended up hurting his company's image--he wanted to act quickly and make sure everyone was informed. Given the proximity of the event to Sony's Playstation Network hack, after all, security was certainly high on many users' minds.
I chatted with Siegrist for about half an hour Thursday afternoon. The following is an edited version of our conversation.
[Read: LastPass, Online Password Manager, May Have Been Hacked]
PCWorld: What exactly happened that made you think something was amiss?
Siegrist: We tend to look over traffic logs and look over what's going on with the networks pretty regularly. Anytime we find any outlier, we want to know why. We try to figure out what's pulling the data and moving the bits.
This one stuck out to us as abnormal because it happened at a time we didn't think anyone was working, and it was from machines that wouldn't be transferring a lot of data between each other. Because of that, it made us a little nervous, a little antsy, so we decided to go through the worst-possible potential case, even if we couldn't find any real supporting evidence that anything bad had occurred.
PCW: What do you know right now about what kind of data could have been taken or compromised?
Siegrist: With the level and the scale of the transfer, we don't think a lot of data could have been taken--but certainly enough to cover people's usernames and [encrypted] passwords. That would be enough to set up a potential attacker so they could start going through and looking for people with weak master passwords without having to hit our servers. That's really the threat that we're concerned about and why we're handling it the way we are.
We know the machines involved have the users' encrypted blob data as well as the data for their usernames, their password hashes, and the salt for those hashes. Because of that and the size of the data, we don't think more than a couple hundred blobs could have been taken.
[Author's note: Salting is a technique that is used to make it harder for people to misuse stolen passwords. A randomly generated key is added to the password before it is obscured, or hashed.]
We're trying to look at what is the worst possible case and how we can mitigate any risks coming out of that. Could this be just some kind of weird glitch? It could. But we haven't had any of those before, and we've been watching this a long time.
PCW: We're talking about blobs, hashes, and salts--a lot of phrases folks aren't used to hearing. What does all of this mean in terms of what was actually in that data and what someone could glean from it?
Siegrist: You can combine the user's e-mail, a guess on their master password, and the salt and do various rounds of one-way mathematics against it. When you do all of that, what you're potentially left with is the ability to see from that data whether a guess on a master password is correct without having to hit our servers directly through the website.
The threat is that once somebody has that process down, they can start running it relatively quickly, checking thousands of possible passwords per second. If you made a strong master password, you are pretty much in the clear--it's not really an attackable thing. But if you used a dictionary word, that is within the realm of someone cracking it in a reasonable time frame.
[Author's note: The master password is the password used to protect a user's LastPass account. With it, you would be able to sign into the account and then directly access all the passwords that user has stored on LastPass's servers.]
PCW: So, to set the record straight: Is there any chance whatsoever that passwords users stored in their LastPass accounts could now be compromised?
Siegrist: We don't think there's much of any chance of that at this stage. If there was, it would be on the orders of tens of users out of millions that could be in that scenario, just because of the amount of data that we saw moved. But it's hard for us to be 100 percent definitive without knowing everything.
That said, the chances that one of those, say, hundred accounts had a weak master password is relatively low.
PCW: If someone had what you'd consider a strong master password, then, would they have any reason to be worried at this point?
Siegrist: No. None.
PCW: What steps are you recommending users take now?
Siegrist: If you used a strong master password, even if anything had been taken, there shouldn't be any cause for concern. If you used a weak master password, there might be a little more risk, but it's kind of a one in a million kind of a risk based on the total amount of data that was transferred. If you used a weak master password, it's probably wise now to replace it with a strong one and look at your most critical sites--your banking, your e-mail--and think about changing those.
[Author's note: LastPass is also requiring some users to change their master passwords with the service as a precaution.]
PCW: Some users have said they've been locked out of their accounts, or that their stored passwords are missing when they sign in. What's going on in those instances and what do you suggest people do?
Siegrist: What we think is essentially that they're using a new password but that there's old data on their computer from before the password change. What we're suggesting is that people re-login or clear their local cache, which can be done in the LastPass plugin. They can also always contact us and we can help them out.
PCW: Tell me about what steps LastPass is taking to further bolster security in light of all of this.
Siegrist: When signing in, we're forcing every user to prove to us that they're coming from an IP that we've seen them come from before, or prove that they still have access to their e-mail. We think by taking those steps, we're locking down any chance that somebody that guessed one of the master passwords would have any shot of getting in.
In retrospect, we probably overthought this a bit and we're maybe too alarmist ourselves. The real message needs to be that if you have a strong master password, nothing that could have been done would have exposed your data. The only thing we're worried about is people that have weak ones. That's why we're making all these moves.
A lot of the services on the servers that were involved have also been locked down as a precaution, and we're still investigating on that end as well. We haven't found anything unusual yet, but we're still looking at it.
[Author's note: LastPass has also now said it's rolling out stronger encryption standards on its data. Full technical details are available at the company's blog.]
PCW: What would you say to someone who's seen some of today's coverage and is feeling apprehensive about continuing to store their passwords with LastPass?
Siegrist: I'd say that anytime you're storing data centrally, you're risking something. That said, if you handle things the right way by using a strong master password, you really do protect yourself. I think we're in a better position than most, but that being said, we are relying on our users a bit and that is something we need to make easier.
We tried to handle this the way we'd want it to be handled if we were users. And that's what we're looking at. We're trying our best to do what's right.
