/ / / / / / LastPass Data Breach, Is It That Much of a Surprise?

LastPass Data Breach, Is It That Much of a Surprise?

3 Comments , , , , Edit
   For those who haven't heard yet, LastPass has suffered a data breach.  According to Joe Siegrist "account email addresses, password reminders, server per user salts, and authentication hashes were compromised".  For us, the main concern is that you'll need to change your master password.  You'll want to sign in and do this as soon as possible.  LastPass has sent out notices and will be setting up prompts for those affected.  If you're signing in from a different IP or device, LastPass will be sending a verification email before you can access your account.

   This has become the typical response from companies who suffer from a data breach.  I think the most interesting part about this situation are all the comments in LastPass' post.  A lot of customers who will be switching to different solutions, angry that LastPass let them down.  Let's take a step back for a moment and think about how technology is today.  It's a true, but sad and frustrating fact, that data breaches are a common occurrence.  Odds are, if a company hasn't been breached, it either hasn't detected it or it will be happening soon.  So why such a backlash by LastPass' customer base?

Did anyone expect LastPass to run
untarnished for years?
   Besides the fact that most have felt their trust has been broken (which is a justified thing, don't get me wrong about that), but what about the other part?  Honestly, I'm surprised LastPass has gone on as long as it has without a breach.  That fact, as well as the fact that they are open to what's going on and caught it as quickly as they did, shows that they know what they are doing.  Seriously, how many companies in the last year have experienced a data breach that occurred months before?  Another thing that LastPass has going for it is it did what it's supposed to do and properly secured the data that was taken.  According to Joe Siegrist  "LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side."  I'm not a crypto-geek, but as far as I know, that sounds like the right thing to do to protect such sensitive information.  Heck, other companies don't even encrypt [link to Forbes] the real sensitive stuff.

   I personally use KeePass and have done so for years.  The main reason is because it was the first password manager I came across, and it doesn't need Internet access to run.  Yes, a few people have picked on me for thinking I'm a bit paranoid not using a web service, but the breach that happened to LastPass is the reason I never did.  Regardless of my personal opinions, I still laugh at all the people who are leaving LastPass, because part of their logic is flawed.  It's reasonable for someone to leave a company when that company doesn't do the right thing, but honestly, LastPass is one of the few who is.  Seriously, did anyone expect LastPass to run untarnished for years?  There is no way they wouldn't have suffered a data breach at some point.  From a black hat perspective, LastPass is equivalent to passwords what Fort Knox was to gold.  There is no way someone wasn't going to find a way in there eventually.

   Ultimately, people are planning on leaving a (as far as I know) solid service because of a relatively minor breach (from what current sources are saying).  LastPass did all the right things, are being public about what happened and have found a way to resolve the problem.  Should they lose customers for something that is becoming a cost of doing online business when they've done what they are supposed to be doing?  That's something many are deciding on right now.  What about you, are you a LastPass customer?  Are you going to be leaving their service?  Why or why not?  Let's talk about it in the comments below.
SHARE

About Jimmy R. Tassin

Jimmy Tassin is the IT Manager of Midwest Regional Bank and has been involved with the Technology field for over thirteen years. His two hobbies are overseeing the daily operations of OmniKraft, a Minecraft server community, and writing at Goblinbyte.com.
    Blogger Comment
    Facebook Comment

3 comments:

  1. AnonymousJune 25, 2015 at 12:48 PM

    I think the LastPass panic is ridiculous. Like the author said, LastPass is doing their job quite well. I renewed my subscription and bought myself a Yubikey. I'm still a huge fan of LastPass and will continue to use and recommend them. Basically, the hack posed no real threat and LastPass implemented solid data protection mechanisms.

    ReplyDelete
    Replies
    1. UnknownJune 25, 2015 at 12:51 PM

      Yeah but the media as a whole blows things out of proportion as we all know. Attach that to the fact people see the word "hack" and freak out. Yes the situation was bad, but it wasn't the per say "worst" possible outcome.

      Delete
    2. Jimmy R. TassinJune 28, 2015 at 1:31 PM

      Agreed, unfortunately with how the media is, everyone will freak out (and rightly so) when there is a breach. Few are tech savvy enough to understand the circumstances or even understand that this was inevitable.

      Delete

Subscribe to: Post Comments ( Atom )