A blog post by company CEO Joe Siegrist has promised that cryptographically lockes have not been broken into, therefore user vaults with text passwords are still safe. What has been taken are email addresses, password reminders/answers, hashed user passwords, and cryptographic salts. These were not protected with the same slow hashing mechanism protecting the user vaults.
This is the second security breach in four years at the company. While that might not sound that high in the scheme of things, keep in mind that this is a security specific company. It doesn’t bode well for their reliability.
As many users jump ship to other password services like PerfectCloud, others are wondering what the next step is. Whether you choose to remain a customer or not, you have to take measures to protect your information now that it has been compromised.
All users should immediately change their master password for the site, and put two step authentication into place, if they haven’t already. From there, they can either delete all information on the account and close it, or continue using the service with their new password and security steps.
To be fair to LastPass, their encryption and protection really is significantly higher than most password storage services. If it had used the same rapid hashing of other sites, those text passwords would have been fair game.
The real issue is not whether or not LastPass is safer than other services, but the inherent risks of storing multiple passwords for different services online in the first place. For many, the convenience is worth the risk until these breaches occur.
With any luck, the threat caused by this hack will not be significant. But it is a stark reminder to users that efficiency comes at a cost. If your password is stored online, it can be taken or used. That puts the user and their accounts at risk, plain and simple. While that might not be a big deal when it comes to their Pinterest account, it is a much bigger one if they are storing bank passwords, or email logins.
If you are going to stick with a password storage service, LastPass’s response shows that they are probably your best bet in spite of this latest breach. But it would be wiser to forgo any storing in the first place.
Source: LastPass Blog