post

The LastNews (!) You Want to Hear is LastPass Hacked. Now What?

Password management service LastPass notified users their servers may have been hacked. I take a minute break, let it sink in.

Yes, this is the one (Last) uber-super secure system you trust with ALL your passwords.  Ouch.  But d

espite the hacking, LastPass says users who had a strong master password in the first place are still safe (and they are forcing users to change that master password now).

I’m not a security expert and don’t pretend to be one, so all you can get from me is some ramblings from a business user:

 

Most of us are at an even higher risk every day: statistics show that over 60% of Internet users

have a favorite set of login credentials …

(Cross-posted @ CloudAve » Zoli Erdos)

post

Atlassian Security Breach and Warning. >>> Update: Apology and Disclosure

crikey Well, well, hours after telling you not to change passwords, now I am telling you to change it… but this time with good reason. Minutes ago I’ve received a email from Atlassian:

We are sending you this message because we experienced a security breach and suspect that your Atlassian customer account password details (only) may have been compromised.
It is very unlikely that an unauthorised user has had the opportunity to log in to your account so far and if they have, there is very little in the way of personal information which could have been accessed. However, to minimise any further risk to your Atlassian account being compromised, we strongly recommend that you change your Atlassian account password as soon as possible using the procedure below.
Be aware that this security issue only affects Atlassian customers who created an Atlassian account and purchased one of our products before June 2008. Since then, we have been using a more secure user management system based on Atlassian’s Crowd product. When you change your Atlassian account password using the procedure below, your Atlassian customer account details will be stored in our updated Crowd user management system, which will further minimise the chance of a security breach occurring in future.
Procedure for changing your Atlassian customer account password:
1) Login to http://my.atlassian.com
2) Click “My Profile” (3rd tab)
3) Click “Change Password” (in Contact Information section)
4) Update your password to a new value
Atlassian apologises for the inconvenience caused. However, this is an extremely rare event for us and since we take security issues seriously, we are taking every precaution possible to minimise the effects of this security breach.

Sincerely/Best regards,
Glenn Butcher
Director of IT

Not fun .. and I expect to we’ll hear more from Atlassian soon.  For now they are obviously figthing whatever it is – status update from Twitter:

Atlassian had a security breach. Apologies for the confusion. Our site is experiencing heavy loads. We are working on getting back up ASAP.

Personally I am safe – I don’t have active accounts, just decided to help push Atlassian’s charity towards the finish line by purchasing 10 licences, but if you do, time to change the passwords…

Update:  co-Founder and co-CEO Mike Cannon-Brookes posted the details on the Atlassian blog.

Apparently an old, inactive database table that had already been migrated in July 2008 to the secure Crowd identity management system was not deleted mistakenly.  That indirectly answers the speculation about Atlassian passwords being stored in plain text format.  They are not – anymore, but they used to be, prior to July 2008.

Mike goes on to detail what was / was not compromised:  read for changes, they are resetting potentially compromised account passwords now.

He does not BS, owns up the mistake:

We made a big error. For this we are, of course, extremely sorry. The legacy customer database, with passwords stored in plain text, was a liability. Even though it wasn’t active, it should have been deleted. There’s no logical explanation for why it wasn’t, other than as we moved off one project, and on to the next one, we dropped the ball and screwed up.

They are still investigating what happened and Mike promises full disclosure, coming this week.

It’s been a bad day for Atlassian and some of their customers – but I’m glad they live up to their “Open Company, No Bullshit” slogan, and respond as expected.

(Cross-posted @ CloudAve)

post

How to Prune Twitter Spammers if Your Account is Compromised

I’ve just received one of those “Hey, I just added you to my Mafia family. You should accept my…” crap-spam-junk invitations on Twitter. Normally these come from accounts I don’t recognize, and I either ignore or block them.  But this time it came from a gray-haired, well-respected industry analysts – I just could not imagine him getting involved.  When I contacted him he told me he himself received 75 Mafia invitations – but the fact that I received it in his name suggests his account got compromised.

He had already changed his Twitter password, yet the hijackers kept on using his account.  That reminded me to share this: changing your password is no longer sufficient to regain control.  I don’t pretent to be a security expert (which we have a few over @ CloudAve), but since more and more Twitter apps are “doing the right thing” and use OAuth authentication, those connections stay valid even after a password change.  So here’s what you should do: go to http://twitter.com/account/connections and check out all the applications listed there.

You may be surprised… the stupid lil’ thing you had checked out and decided you did not like after 5 minutes still sits there, fully authorized.  So do yourself a favor, prune the list.  Whatever you don’t recognize, or no longer want, click “revoke access” – it’s that simple.

(Note: The image above does not depict “bad guys”. it’s a screen shot of my account and I don’ have any – or so I hope.)

(Cross-posted @ CloudAve )