This is not good at all. Lastpass (the rather excellent Password management system) has potentially been compromised, and although the Lastpass team were quick to spot the shenanigans taking place they’ve advised users to change their master password (in fact, they’re intending to force password changes for all).
As the Lastpass team notes:
If you have a strong, non-dictionary based password or pass phrase, this shouldn’t impact you – the potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that’s immune to brute forcing.
This is why you don’t set your master password to “password”. Their swift response to the possible attack is rather heartening, so kudos for that. If you weren’t using a strong master password previously, take this as the warning shot that you really should do something about it next time you login to your Lastpass account.
Update: It seems many users are having issues logging in to their Lastpass accounts since changes were made to prevent unauthorised access. Here are some tips posted by users to the Lastpass blog, these may be useful to you:
1) For all of you who are affected by the “Your account settings have restricted you from logging in from this mobile device.” problem: I was able to login with one of my One-Time-Passwords I had generated when I set up the account. I was then asked again to change my master password, but this time I was asked for grid authentication, and after passing this the change succeeded. – Anon
2) If you get this message: An error occurred while retrieving your accounts. Close all of your browsers, clear cookies and log in again. It worked for me. – Anon
3) Ok so I got pwned by this message: “Your account settings have restricted you from logging in from this mobile device.” and had to delete and recreate my account. Here is how I did it.
– Download Lastpass pocket -> https://lastpass.com/pocket.exe
– Run pocket.exe and login using your existing username and password.
– Export your stuff to a csv file
– Delete your lastpass account -> http://helpdesk.lastpass.com/account-recovery/ (4th option)
– Recreate the lastpass account by signing in at lastpass.com
– Using your lastpass browser extension -> Tools -> Import from -> Other -> Select “CSV” from drop down
-> Copy and paste the contents of the lastpass export csv file into the window and import everything. – Owais
4) Many users are reporting being locked out after a successful password change. It seems waiting from 15 to 30 minutes then trying again is doing the trick. I imagine half their userbase just turned up at the front door, which probably isn’t the best thing that could happen.
5) The website gets stuck at the login screen, looping round forever (or until you get bored and close the tab at any rate). Get around this by logging in via the Firefox plugin – you have that installed, right? – Thanks to Kurt Wismer for that one.
Christopher Boyd