LastPast Security Breach Notification
For those of you who have not heard, LastPass had a security breach. An announcement came out that some data might have been compromised on servers at LastPass, they are the password management company that hosts my encrypted password database
Disappointed No Email Notice From LastPass
I am a huge fan of LastPass. Its a great product, I am very disappointed I never received an email from LastPass, letting me know they had been compromised. Given I am using a paid version of the product, I would have expected an email from LastPass pushed out to me.Once again a great Product. Very disappointed in the way this has been handled by LastPass.
LastPass is in the Security business, they should have handled this incident better. Breaches will always happen, I do not fault them for that. I do fault them for how it was handled.
On the other-hand I love how the security team at Hosting handled the issue. They did it right. They got the word quickly out to the customers and they also made it clear what steps need to be taken. Here is part of an announcement sent out by Hosting to our customers.
Hosting Announcement to Our Customers
LastPass released a notification today that they found unauthorized access into their systems. LastPass is a widely used “secure” online password storage tool which is utilized by a number of our employee’s. If you are not using LastPass you can disregard the rest of this message. As the public disclosure was just released today not many details exist, however, LastPass has stated that:
“we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”
Although they were following a very robust hashing process LastPass has recommended that users update their master password and enable multifactor authentication to ensure their vault data is properly secured. If you used your master password for other sites those sites should be updated as well. Please ensure that in the future proper security practices are followed by not reusing passwords between sites.
Steps We Recommend Customers Take
HOSTING is also requesting that any passwords contained in your user vault that can be tied to a HOSTING controlled resource be updated as well. Although there is no indication that the encrypted user vaults were accessed we are requesting this update as a preventative measure as the investigation into this incident is still in its infancy and there is the possibility that more data was accessed than is currently believed.
At this time we do not have any additional information than what was provided by their public disclosure which can be viewed at the URL below:
Important Read the Official Notice From LastPass
What Happened When I changed My Master Password
As soon as I changed my Master Password, the file that holds all my passwords was re-encrypted with a new key.
Why Everyone Should Be Using A Password Manager like LastPass
Since I started using LastPass I can say the following:
- Every Password is Unique on Every Account
- Every Password is Long and Complicated
- Standard Password Upper and Lower Case
- Standard Password Numbers, Letter, Special Characters
- Able to use Multifactor Authentication
- Password Vault Can only be accessed from locations I authorize
The list goes on and on. I am huge fan of Password Managers. LastPass is a great product. I wish they had handled this incident better. They took to long to get the word out.
Finally Received Notification From LastPast
Here is a copy of what I received tonight (June 15th, 8:07 PM)..
Dear LastPass User,
We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised.
We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords.
We apologize for the inconvenience, but ultimately we believe this will better protect LastPass users. Thank you for your understanding, and for using LastPass.
The LastPass Team
To learn more here was the link..
My Personal Twitter Account: Michael_Corey
Ntirety Corporate Twitter Account: Ntirety