A breach at LastPass has password lessons for all of us
The password manager hack should make us reassess whether to trust companies to store our sensitive data in the cloud.
While many of us disconnected from the Internet to spend time with loved ones during the holidays, LastPass, the creator of a popular security program for managing digital passwords, delivered the most unwanted gift. He published details of a recent security breach in which cybercriminals obtained copies of customer password vaults, potentially exposing the information of millions of people online.
From a hacker's perspective, this is the equivalent of hitting the jackpot.
When using a word manager from password like LastPass or 1Password, it stores a list of all usernames and passwords for the sites and apps you use, including bank, healthcare, email, and social media accounts. It keeps track of this list, called a vault, in its online cloud so you have easy access to your passwords from any device. LastPass said the hackers stole copies of each customer's list of usernames and passwords from the company's servers.
This breach was one of the worst things that could happen to a security product designed to take care of your passwords. But aside from the obvious next step - changing all of your passwords if you've used LastPass - there are some important lessons we can learn from this debacle, including that security products aren't foolproof, especially when they store our sensitive data in the cloud.
First, it's important to understand what happened: the company said that intruders gained access to its cloud database and obtained a copy of the data vaults of tens of millions of customers using credentials and keys stolen from a LastPass employee.
LastPass, which published details of the breach in a blog post on December 22, tried to reassure its users that their information was likely safe. He said some parts of people's safes — like the web addresses of sites they logged into — weren't encrypted, but sensitive data, including usernames and passwords, were encrypted. This would suggest that hackers might know the banking website someone is using but not have the username and password required to log into that person's account.
Most importantly, the master passwords that users set up to unlock their LastPass vaults were also encrypted. This means that hackers would then have to crack the encrypted master passwords to get the rest of the passwords in each vault, which would be hard to do as long as people used a unique and complex master password.
Karim Toubba, CEO of LastPass, declined to be interviewed but wrote in an emailed statement that the incident demonstrated the strength of the architecture company system, which he said kept sensitive vault data encrypted and secure. He also said it was the responsibility of users to "practice good password hygiene".
Many security experts were not d agreed with Mr. Toubba's optimism and said every LastPass user should change everything. its passwords.
"This is very serious," said Sinan Eren, an executive at Barracuda, a security company. "I consider all of these managed passwords to be compromised."
Casey Ellis, CTO of security firm Bugcrowd, said he was significant that intruders have access to lists of website addresses that people have used.
"Let's say I'm coming after you," Ellis said. "I can view all of the websites for which you have recorded information and use it to plan an attack. Every LastPass user now has that data in the hands of an adversary."
Here are the lessons we can all learn from this breach to stay safe online.
Prevention is better than cure.The LastPass flaw reminds us that t is easier to put in place safeguards for our...
The password manager hack should make us reassess whether to trust companies to store our sensitive data in the cloud.
While many of us disconnected from the Internet to spend time with loved ones during the holidays, LastPass, the creator of a popular security program for managing digital passwords, delivered the most unwanted gift. He published details of a recent security breach in which cybercriminals obtained copies of customer password vaults, potentially exposing the information of millions of people online.
From a hacker's perspective, this is the equivalent of hitting the jackpot.
When using a word manager from password like LastPass or 1Password, it stores a list of all usernames and passwords for the sites and apps you use, including bank, healthcare, email, and social media accounts. It keeps track of this list, called a vault, in its online cloud so you have easy access to your passwords from any device. LastPass said the hackers stole copies of each customer's list of usernames and passwords from the company's servers.
This breach was one of the worst things that could happen to a security product designed to take care of your passwords. But aside from the obvious next step - changing all of your passwords if you've used LastPass - there are some important lessons we can learn from this debacle, including that security products aren't foolproof, especially when they store our sensitive data in the cloud.
First, it's important to understand what happened: the company said that intruders gained access to its cloud database and obtained a copy of the data vaults of tens of millions of customers using credentials and keys stolen from a LastPass employee.
LastPass, which published details of the breach in a blog post on December 22, tried to reassure its users that their information was likely safe. He said some parts of people's safes — like the web addresses of sites they logged into — weren't encrypted, but sensitive data, including usernames and passwords, were encrypted. This would suggest that hackers might know the banking website someone is using but not have the username and password required to log into that person's account.
Most importantly, the master passwords that users set up to unlock their LastPass vaults were also encrypted. This means that hackers would then have to crack the encrypted master passwords to get the rest of the passwords in each vault, which would be hard to do as long as people used a unique and complex master password.
Karim Toubba, CEO of LastPass, declined to be interviewed but wrote in an emailed statement that the incident demonstrated the strength of the architecture company system, which he said kept sensitive vault data encrypted and secure. He also said it was the responsibility of users to "practice good password hygiene".
Many security experts were not d agreed with Mr. Toubba's optimism and said every LastPass user should change everything. its passwords.
"This is very serious," said Sinan Eren, an executive at Barracuda, a security company. "I consider all of these managed passwords to be compromised."
Casey Ellis, CTO of security firm Bugcrowd, said he was significant that intruders have access to lists of website addresses that people have used.
"Let's say I'm coming after you," Ellis said. "I can view all of the websites for which you have recorded information and use it to plan an attack. Every LastPass user now has that data in the hands of an adversary."
Here are the lessons we can all learn from this breach to stay safe online.
Prevention is better than cure.The LastPass flaw reminds us that t is easier to put in place safeguards for our...
What's Your Reaction?
