LastPass CEO reveals details on security breach

CEO of the password management company, which is dealing with a likely breach, tells PC World that users with strong master passwords should be safe, but others might want to change them.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
2 min read

Following yesterday's revelation of a likely security breach at password management company LastPass, the company's CEO is revealing more details about the incident and trying to offer some comfort and advice to his users.

Speaking yesterday with PC World, LastPass CEO Joe Siegrist admits he may have been too "alarmist" in sounding the alarm bell over the potential security breach. But the anomalies the company found when looking over its logs raised too much of a red flag.

Siegrist explained that he doesn't think a lot of data would've been hacked, but just enough to capture a small number of user names and passwords. Though the passwords were in an encrypted format, those combined with the usernames could give hackers enough of a starting point to hunt for accounts with weak master passwords. The use of a master password is critical as it can unlock the door to all of a user's Web site passwords, one reason why sites like LastPass urge users to use complex, non-dictionary passwords.

In fact, Siegrist asserted that users with a strong master password have no reason to worry at this point. It's people with weaker passwords who could be a bit more vulnerable. For such users, he's now advising them not only to replace their master password with a strong one, but also replace the individual passwords on certain critical accounts, such as e-mail and banking.

Beyond those words of wisdom, Siegrist told PC World that the company is now forcing users to prove that they're coming from a known IP address or that they still have access to their e-mail. The CEO believes those extra steps should stop any hacker who may have guessed someone's master password. The company has also locked down certain services on the servers that were caught up in the incident and is investigating further to see if it finds any additional clues.

LastPass is continuing to provide further updates on the situation through its ongoing blog.

Security research firm Duo Security also offered its thoughts on the LastPass breach with some advice on what users can do at this point.