While many of us were unplugging from the internet to spend time with loved ones over the holidays, LastPass, the maker of a popular security program for managing digital passwords, delivered the most unwanted gift. It published details about a recent security breach in which cybercriminals had obtained copies of customers’ password vaults, potentially exposing millions of people’s online information.
From a hacker’s perspective, this is the equivalent of hitting the jackpot.
When you use a password manager like LastPass or 1Password, it stores a list containing all of the user names and passwords for the sites and apps you use, including banking, health care, email and social networking accounts. It keeps track of that list, called the vault, in its online cloud so you have easy access to your passwords from any device. LastPass said hackers had stolen copies of the list of user names and passwords of every customer from the company’s servers.
This breach was one of the worst things that could happen to a security product designed to take care of your passwords. But other than the obvious next step — to change all of your passwords if you used LastPass — there are important lessons that we can learn from this debacle, including that security products are not foolproof, especially when they store our sensitive data in the cloud.
First, it’s important to understand what happened: The company said intruders had gained access to its cloud database and obtained a copy of the data vaults of tens of millions of customers by using credentials and keys stolen from a LastPass employee.
A Breach at LastPass Has Password Lessons for Us All
