LastPass, a company offering a product for customers to centrally manage their passwords with a single password, disclosed on its blog on June 15, 2015, that intruders had broken into its system and absconded with users’ email addresses, password reminders, server per user salts and authentication hashes. According to LastPass, it “quickly detected, contained, evaluated the scope of the incident, and secured all user accounts.”
[sws_pullquote_right] If implementing privacy and security measures are not at the top of your priority list, you might consider placing them there now. [/sws_pullquote_right]
LastPass posted FAQs on its website on June 16th in response to a flurry of questions. The first FAQ “Was my master password exposed?” was answered with a firm “No.” LastPass explained that LastPass never has access to a customer’s master password, and therefore, the hackers did not get access to it either. LastPass uses encryption and hashing algorithms for both the username and master password. Further, LastPass confirmed that the encrypted user vaults were not compromised, so no data stored in customers’ vaults were at risk. Nonetheless, LastPass is requiring that customers change their master password, and further recommending that it be changed if it has been used for any other website.
The lesson here is that even companies with the most sophisticated security measures are vulnerable to attack and compromise. So if you aren’t the most sophisticated company, and you haven’t suffered a security compromise, you either don’t know that it has already happened or it will. If implementing privacy and security measures are not at the top of your priority list, you might consider placing them there now.