LastPass Password Troubles: What Happened?

LastPass is the latest company to find itself in the middle of a data security situation, but is your information in danger?

As PCMag security analyst Neil Rubenking , the nature of the LastPass warning makes it unlikely that your passwords have been accessed by hackers; a fact that LastPass CEO Joe Siegrist confirmed in a Thursday interview with PCWorld.

"We don't think there's much of any chance of [compromised passwords] at this stage," Siegrist said. "If there was, it would be on the orders of tens of users out of millions that could be in that scenario, just because of the amount of data that we saw moved. But it's hard for us to be 100 percent definitive without knowing everything."

As LastPass explained in a blog post, the company on Tuesday noticed a "network traffic anomaly" on one of its non-critical machines. That alone wasn't a major red flag; it happens occasionally either via an employee or automated script, LastPass said. The problem, however, was that the company could not identify the root cause. LastPass also found a "similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server)."

As a result, LastPass decided to "be paranoid and assume the worst" and asked that its customers change their master password. As PCMag's Rubenking explained, LastPass provides users with a single, very strong "master" password, and then remembers all your other Web site passwords. It can also fill in Web forms with your personal information. Your personal data and saved passwords are stored online in encrypted form, but your master password isn't stored anywhere. If you forget it, you're out of luck.

Having all of its users change their master passwords at the same time, however, led to a server overload at LastPass. The company allowed people to log in via "offline" mode, so they could carry on with their business as LastPass worked through the email validation/password change process.

Early this morning, LastPass said it has added the option for people to tell LastPass that they know their master password is strong and does not need to be changed. "We apologize for not having that available when we announced," the company said.

"We've identified an issue with roughly 0.5 percent of users that impacted their master password change, and will be contacting you tomorrow rolling you back to before the change," LastPass said.

Users still experiencing problems with logins or passwords are encouraged to contact the company via [email protected].

Meanwhile, the Xmarks bookmark syncing service that LastPass is not affected. "Different machines, networks, databases," Siegrist told Computerworld.

For more, see PCMag's reviews of and the free .