Skip to main content

Password-storing service may have been hacked

LastPass says it doesn't know for certain whether its database of master passwords for user accounts was compromised.
LastPass says it doesn't know for certain whether its database of master passwords for user accounts was compromised.
  • LastPass announced Wednesday that it may have been hacked
  • Not all LastPass users are equally at risk, however
  • LastPass noticed some anomalies in data traffic to and from its servers that it couldn't explain

Editor's note: Amy Gahran writes about mobile tech for She is a San Francisco Bay Area writer and media consultant whose blog,, explores how people communicate in the online age.

(CNN) -- Virtually every online service requires users set up an account protected by a password, and the conventional wisdom is that you shouldn't use the same password for multiple accounts. This makes services that help users generate and store strong passwords very appealing.

LastPass, one of the most popular password-storing services, announced Wednesday that it may have been hacked. The company is now asking many of its users to change what its marketing has been touting as "the last password you'll ever need."

LastPass, which manages passwords and reproduces users' personal info for online forms by integrating with their computer or mobile Web browser, doesn't know for certain whether its database of master passwords for user accounts was compromised.

The company noticed some anomalies in data traffic to and from its servers that it couldn't explain. But one possible explanation was a data breach.

"We're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed," wrote CEO Joe Siegrist.

Not all LastPass users are equally at risk. According to the company: "If you have a strong, nondictionary-based password or pass phrase, this shouldn't impact you. The potential threat here is brute-forcing your master password using dictionary words, then going to LastPass with that password to get your data. Unfortunately not everyone picks a master password that's immune to brute forcing."

Initially, as a security measure, LastPass tried forcing all users to change their master passwords. But this slowed down their system too much. So now they've implemented a system to verify user e-mail addresses. Once you verify your e-mail, most LastPass users can wait a few days to change the master password.

What to do: If you use LastPass and your master password was a simple dictionary word, you should verify your e-mail with LastPass and then change to a stronger password sometime in the next few days. Security expert Bruce Schneier offers advice on choosing strong passwords.

This LastPass incident indicates the importance of consumer-friendly communications about data security, especially for services that are actively marketed to, and popular with, nontech-savvy consumers.

Many consumers are intimidated by online security. They keep hearing they face dire risks online and need to protect themselves -- but doing so on their own seems cumbersome and uncertain.

The whole point of using a service like LastPass (or its competitors, such as RoboForm or 1Password) is to make an average person's online experience simpler and safer.

The catch is that the field of data security is highly complex and technical. Often, the people who are skilled enough at it to create reliable services that become popular with consumers aren't very good at communicating in ways that consumers understand. This can inadvertently create fear, uncertainty and doubt, which can backfire on data security vendors and consumers alike.

For example, Siegert's LastPass blog post announcing the possible breach included passages like this: "We know roughly the amount of data transferred and that it's big enough to have transferred people's e-mail addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users' encrypted data blobs."

Similarly, the last line in that post as of this writing (further updates might be possible) instructs users: "You can access your data via LastPass in offline mode (pull the cable out of the wall, then login) or by downloading LastPass Pocket: (choose your OS)."

However, it's unclear which kind of data users can access this way, or how this step might help them, or how they can decide whether they should do this.

Furthermore, "pull the cable out of the wall" sounds rather daunting. Without further clarification, an instruction like that might cause some nontechnical users to inadvertently damage their home broadband connections.

I'm not saying LastPass did anything wrong here. I agree with Wall Street Journal technology editor Ben Rooney that LastPass acted quickly and responsibly to protect its customers.

Still, the way the company has been communicating so far about this incident with its customers, most of whom probably aren't as tech-savvy as Rooney, leaves something to be desired.

The opinions expressed in this post are solely those of Amy Gahran.


Most popular Tech stories right now