LastPass, the Web-based password storage service I wrote about late last year (see “LastPass Acquires Xmarks,” 13 December 2010), has announced that they recently discovered suspicious network activity on their internal network, and upon investigation, determined that it was possible that a limited amount of data may have been accessed. The company locked down all accounts to prevent access from unknown locations, announced their findings on their blog, and spoke with the media.
Further analysis failed to provide any direct evidence that customer data was accessed, but in the worst case scenario, LastPass has said that only LastPass login account credentials — your email address, master password, and master password hint — may have been leaked, and even then, only in encrypted form. Other data associated with user accounts, such as site usernames and passwords, form fill data, billing information, etc. was not taken. For a full Q&A about the incident, see the LastPass Status page.
The practical upshot for LastPass users is that if your master password is a strong one — avoiding dictionary words, including numbers and punctuation, and sufficiently long to withstand a brute force attack — you have nothing to worry about. But it probably doesn’t hurt to change it anyway, and to make sure that it’s not shared with other sites. Either way, if you attempt to log in from another location (or if someone posing as you does), LastPass requires you to validate your email address until you change your master password or confirm that you’re comfortable with it. That should prevent any access to your account, even if passwords were compromised.
The mere fact that this breach happened gives credence to the concern about storing password or other confidential information online; although LastPass’s security is probably a lot better than that of most companies and individuals, they’re an obvious target for direct attack. It’s unlikely criminals would attack an individual specifically, but would instead rely on malware and social engineering (see “Beware Fake MACDefender Antivirus Software ,” 2 May 2011). So storing passwords within 1Password on your Mac is likely safer, and sharing them among multiple devices via Dropbox isn’t unreasonable, since even if Dropbox security were breached, 1Password’s password file would still be encrypted.
Nonetheless, LastPass appears to have handled the situation about as well as possible, and far better than some other recent security breaches, such as the one that hit the Sony PlayStation Network. That’s a good sign, and an indication of how seriously they take security.
In the end, only you can decide if the convenience of LastPass’s automatic login capabilities and machine independence are worth the additional risk of storing your passwords online with a third party. It may be that LastPass is worthwhile, for instance, but only for sites where you’re required to log in purely as a way of identifying yourself, and where there’s no sensitive information stored.