LastPass drops the ball, but looks good doing it

Password service alerts users to possible data breach

So it turns out that LastPass - which touts itself as a provider of "The last password you'll ever need" - actually offers no such thing.

Not that anyone should have believed otherwise.

The password-management company is in Day 2 of damage control after alerting its millions of users that there's at least a small possibility that their personal data has been put at risk. The company is recommending that users change their LastPass master password - the key to its service - unless they are certain it is a strong one.

From a Computerworld story on our site:

In a blog post on Wednesday, LastPass said it first noticed a network traffic irregularity on Tuesday morning when looking at the logs for one of its non-critical systems. It decided to dig deeper into the problem after it was unable to find a root cause for the problem.

"After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server)," the blog post noted.

Because LastPass has been unable to account for this anomaly, it has decided to assume that the database has been compromised. The amount of data that was transferred out of its system is big enough to have contained people's email addresses, their salted password hashes and the server salt, LastPass said.

In an interview with PCWorld, LastPass CEO Joe Siegrist said the company may have ventured beyond an abundance of caution and actually been "too alarmist" in making its concerns known to its users. The level of detail he offers in the interview seems remarkable given how other companies generally operate in these situations. (Whether he's being completely candid and/or is fully informed is another matter.)

PCMag's Neil J. Rubenking, who uses LastPass himself, says in this post that he's convinced the risk from this breach - if it was a breach - is miniscule.

Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up. Follow me on Twitter here.

  • Brookstone needs to accept that Mom is a tough sell.
  • Programmer unknowingly live blogs raid that killed Bin Laden.
  • Captain Midnight: 'No regrets' about jamming HBO back in '86
  • Wozniak questions long-accepted date of “Day One” at Apple.
  • IRS e-file system turns 25 … and tops 70% participation rate
  • 35 years of ‘Apple’ Fools Day fun
  • Groupon vs. the price of gasoline.
  • On the company dime: Rogue game server admins tell all
  • World of Warcraft player offers $1,000 bribe.
  • Tech ‘firsts’ that made a President’s day.
  • If you had bought 100 shares of Microsoft 25 years ago …
  • No e-wallet can replace a John Wayne.

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022