LastPass hacked; Exetel dumps users; 600m Samsung phones at risk

Password management service LastPass has been hacked, with perpetrators gaining access to some elements of users’ data.

In an official blog post last week, the company revealed that on 12 June it “discovered and blocked suspicious activity” on its network.

The company said an investigation showed that LastPass account email addresses, password reminders, server per user salts and authentication hashes were compromised in the attack.

Master passwords were not exposed in the attack, the company said, adding, “LastPass never has access to your master password. We use encryption and hashing algorithms of the highest standard to protect user data.”

“We are confident that our encryption measures are sufficient to protect the vast majority of users,” the blog post said.

Despite this confidence, the company said it will be prompting all users to change their master passwords.

The company also recommended that if a user has used their LastPass master password as the password on any other website, they should change their password on those other sites.

The company said it found no evidence that encrypted user vault data was taken.

For those worried about their LastPass account, more details on what was and was not compromised in the attack is available at the LastPass blog.

Exetel dumps 400 users

ISP Exetel has reportedly jettisoned 400 customers it deemed to be “heavy” users and possibly incurred the wrath of the ACCC in the process.

According to ITnews, Exetel’s chief marketing officer, Ben Colman, said the company had decided to terminate the plans of 400 users following a regular review of customer usage, network performance and cost.

The ISP reportedly advised affected customers to transfer their service to another carrier within 30 days.

“The customers affected are all operating on old plans and are out of contract. We believe it is unfair for current users to subsidise a handful of exceedingly heavy users who have not re-contracted with Exetel at our current, and very competitive, prices,” Colman was quoted as saying. “For the benefit of all our customers, we’ve taken the difficult decision to let go a small number of users.”

Many of the affected customers claimed to have never reached their full allocated data cap, according to ITnews. Indeed, the ISP reportedly said that 25% of users whose services were terminated were on unlimited plans.

The termination of services offered on unlimited plans may cause some problems for Exetel. The ACCC told Cnet that ISPs and telcos need to be careful offering “unlimited” plans that are qualified with conditions.

“Telco businesses that make sweeping offers of unlimited services while concealing the true extent of the service in the fine print or undisclosed ‘fair use policies’ risk being in breach of the [Australian Consumer Law], regardless of the length of the customer contract,” an ACCC spokesman was quoted as saying.

“The ACCC would be concerned if restrictions were being placed on certain customers, including non-eligibility for ‘unlimited’ services, where the potential for there to be such restrictions was not clearly identified in advertising materials.”

Exetel seems satisfied it’s on the right side of the law, however. Cnet quoted the ISP as saying: “We are confident that the difficult decision to part company with around 400 customers who are off-contract fully meets our obligations under Australian telecommunications law.”

600 million Samsung phones at risk

Up to 600 million Samsung smartphones contain a security flaw that could allow attackers to monitor users’ phone calls and install malware on the devices, Fairfax reported.

According to Fairfax, security company NowSecure found that the flaw could allow attackers access to an affected phone’s camera, microphone, files, GPS data and the content of voice calls and text messages. An attacker could also secretly install malware on an affected phone, NowSecure reportedly said.

It has been widely reported that the flaw involves SwiftKey keyboard software that comes pre-installed on some Samsung phones.

But a second Fairfax story said that SwiftKey has placed responsibility for the issue with Samsung.

“We supply Samsung with the core technology that powers the word predictions in their keyboard,” SwiftKey was quoted as saying. “It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability.”

Fairfax reported that the flaw remains even if a user installs and uses an alternative keyboard to the one that came pre-installed on their device.

Cnet reported late last week that Samsung said it would soon release a fix for the problem, and the fix would be accessible through the Samsung Knox service.

Image courtesy Kārlis Dambrāns under CC