We know it’s hard to keep track of passwords. A good security practice is to use different and complex passwords across different platforms, but it is so hard to keep track of all of them. That’s why password management products have entered the marketplace—to help us manage our passwords. But what happens when the password management system gets hacked?
On June 15, 2015, LastPass, a company offering a product for customers to centrally manage their passwords with a single password, disclosed on its blog that intruders had broken into its system and absconded with users’ email addresses, password reminders, server per user salts and authentication hashes. According to LastPass, it “quickly detected, contained, evaluated the scope of the incident, and secured all user accounts.”
LastPass posted FAQs on its website on June 16th in response to a flurry of questions. The first FAQ “Was my master password exposed?” was answered with a firm “No.” LastPass explained that LastPass never has access to a customer’s master password, and therefore, the hackers did not get access to it either. LastPass uses encryption and hashing algorithms for both the username and master password. Further, LastPass confirmed that the encrypted user vaults were not compromised, so no data stored in customers’ vaults were at risk. Nonetheless, LastPass is requiring that customers change their master password, and further recommending that it be changed if it has been used for any other website.
The lesson here is that even companies with the most sophisticated security measures are vulnerable to attack and compromise. So if you aren’t the most sophisticated company, and you haven’t suffered a security compromise, you either don’t know that it has already happened or it will. If implementing privacy and security measures are not at the top of your priority list, you might consider placing them there now.