The Column

Tuesday, May 10, 2011

LastPass password system possibly compromised; no panic

If you use LastPass, be careful. In fact, change your master password. Like right now.

A security incident was reported May 3, and the company says that there is no proof of a security breach but they're "erring on the side of caution." Or something.

Here's how they put it:

LastPass Security Incident Information

Dear LastPass User,

We have reason to believe that LastPass user account information may have been accessed due to an illegal intrusion into our network. Despite not having definitive proof of this, we are erring on the side of caution and alerting you on how to safeguard your data.

The LastPass Team

The remedy? Again, change your master password.

From LastPass:

  1. How Likely Is It That My Actual Data Is Compromised?

    It's not. If you used a weak LastPass master password, then it is then conceivable that your master password might be compromised.

    Even if this occurred, it is still extremely unlikely that your actual LastPass account data (site passwords, form fill data, etc.) will be compromised.

    This is because the attackers do not posses your actual encrypted data, and because we prevented access to the actual encrypted data immediately after discovering the potential breach. We did this by denying access to your LastPass Vault if you tried to login from a location that you never used before. Access to your vault from unknown locations is permitted only after you re-verify your identity: LastPass sends you an email and asks you to click on a link within the email.
  2. Why was I not notified by email immediately?

    Our existing email notifications were inefficient. In the interest of securing our users we acted quickly, only notifying the userbase via the company blog and interviews with the media.

    We recognize that users deserved immediate notification of the situation, and are working to develop a system for the future that will be much more efficient in quickly updating our entire userbase.
Here's the actual status report:

I use LastPass, and will continue to do so. It's a solid system. However, I am looking toward other password-keeping programs, such as KeePass (which saves my password data to disk rather than in the cloud).

Upshot: I don't see this as a panic situation. But still ...