Recent Posts

Saturday, May 14, 2011

Last Past Security Breach Not As Bad As I Thought



The password hack at LastPass was not as  bad as I originally thought. Here's the facts of what really went down.

Last week I reported on a story about the password security software LastPass getting hacked. One reader pointed out that I had gotten my facts wrong, I’m not one to let pride get in the way of facts so I looked it up and it turns out he was right. Here’s the facts.

According to LastPass, they experienced some suspicious activity on their network last week and locked down all the accounts immediately. I originally stated that there had been up to 1.25 million passwords stolen, but that number is insanely inflated. I got my news from Bloomberg and my guess is they got that number from the fact that so many accounts were locked down by LastPass. The truth of the matter is that they locked down all the accounts due to the suspicious activity. It’s a good move because if they had been hacked (having not been certain at the time) then they would prevent the hacker from getting more information than they already had.

According to LastPass there was no evidence that any customer data was leaked, and that if it was it was encrypted. Normally I would balk at the encryption factor, since given enough time any encryption can be cracked. However in this case LastPass did something very very very smart…they forced everyone to change their passwords, here’s a piece from their blog:

“To counter that potential threat, we're going to force everyone to change their master passwords. Additionally, we're going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP.”

They mentioned on the their blog that it might have been a little overreaction, but better safe than sorry I say.

LastPass also mentioned on their blog that they don’t have any details on what exactly happened yet, but they’re working on finding all that out. I say kudos to LastPass for being transparent on this matter and handling it so well….maybe it isn’t such a horrible idea to put all your password eggs in one basket after all.

Also I offer my apologizes for feeding into the media hyperbole and not doing my homework properly. I’ll do my best to make sure it dosen’t happen again, and thanks to the reader who pointed this out to me. I want to bring you guys the facts if I’m wrong and you know it I will make sure I fix it, no ego’s here.

Related Stuffs:

No comments:

Post a Comment