LastPass CEO reveals details on security breach

CEO of the password management company, which is dealing with a likely breach, tells PC World that users with strong master passwords should be safe, but others might want to change them.

Following yesterday's revelation of a likely security breach at password management company LastPass, the company's CEO is revealing more details about the incident and trying to offer some comfort and advice to his users.

Speaking yesterday with PC World, LastPass CEO Joe Siegrist admits he may have been too "alarmist" in sounding the alarm bell over the potential security breach. But the anomalies the company found when looking over its logs raised too much of a red flag.

Siegrist explained that he doesn't think a lot of data would've been hacked, but just enough to capture a small number of user names and passwords. Though the passwords were in an encrypted format, those combined with the usernames could give hackers enough of a starting point to hunt for accounts with weak master passwords. The use of a master password is critical as it can unlock the door to all of a user's Web site passwords, one reason why sites like LastPass urge users to use complex, non-dictionary passwords.

In fact, Siegrist asserted that users with a strong master password have no reason to worry at this point. It's people with weaker passwords who could be a bit more vulnerable. For such users, he's now advising them not only to replace their master password with a strong one, but also replace the individual passwords on certain critical accounts, such as e-mail and banking.

Beyond those words of wisdom, Siegrist told PC World that the company is now forcing users to prove that they're coming from a known IP address or that they still have access to their e-mail. The CEO believes those extra steps should stop any hacker who may have guessed someone's master password. The company has also locked down certain services on the servers that were caught up in the incident and is investigating further to see if it finds any additional clues.

LastPass is continuing to provide further updates on the situation through its ongoing blog.

Security research firm Duo Security also offered its thoughts on the LastPass breach with some advice on what users can do at this point.

About the author

Journalist, software trainer, and Web developer Lance Whitney writes columns and reviews for CNET, Computer Shopper, Microsoft TechNet, and other technology sites. His first book, "Windows 8 Five Minutes at a Time," was published by Wiley & Sons in November 2012.

 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Galleries from CNET
The best tech products of 2014
Does this Wi-Fi-enabled doorbell Ring true? (pictures)
Seven tips for securing your Facebook account
The best 3D-printing projects of 2014 (pictures)
15 crazy old phones from a Korean museum (pictures)
10 gloriously geeky highlights from 2014 (pictures)