LastPass is Another in a Line of Security Hits!
But, they did a great job and announced it, and caught it early! Kudos to them!
LastPass Password Troubles: What Happened?
LastPass is the latest company to find itself in the middle of a data security situation, but is your information in danger?As PCMag security analyst Neil Rubenking explained yesterday, the nature of the LastPass warning makes it unlikely that your passwords have been accessed by hackers; a fact that LastPass CEO Joe Siegrist confirmed in a Thursday interview with PCWorld.
‘We don’t think there’s much of any chance of [compromised passwords] at this stage,’ Siegrist said. ‘If there was, it would be on the orders of tens of users out of millions that could be in that scenario, just because of the amount of data that we saw moved. But it’s hard for us to be 100 percent definitive without knowing everything.’ As LastPass explained in a blog post, the company on Tuesday noticed a ‘network traffic anomaly’ on one of its non-critical machines. That alone wasn’t a major red flag; it happens occasionally either via an employee or automated script, LastPass said. The problem, however, was that the company could not identify the root cause. LastPass also found a ‘similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server).’
As a result, LastPass decided to ‘be paranoid and assume the worst’ and asked that its customers change their master password. As PCMag’s Rubenking explained, LastPass provides users with a single, very strong ‘master’ password, and then remembers all your other Web site passwords. It can also fill in Web forms with your personal information. Your personal data and saved passwords are stored online in encrypted form, but your master password isn’t stored anywhere. If you forget it, you’re out of luck.
Having all of its users change their master passwords at the same time, however, led to a server overload at LastPass. The company allowed people to log in via ‘offline’ mode, so they could carry on with their business as LastPass worked through the email validation/password change process.
I think LastPass did a great job protecting it’s users! A security company “being paranoid” is a GOOD thing!