Yesterday, the password management system LastPass notified its users that it had “discovered and blocked suspicious activity” on its service. This post reviews what happened and encourages people to continue using password management services.


In a previous article that provided advice encouraging the use of password management services, we included this caveat:

“There is major drawback—if someone hacks into your password management app, all of that information is free for the taking. Most of these applications are fairly safe from remote hacking attempts, but that doesn’t account for a computer infected with malware (think key logger) or someone who has had their computer stolen.”

On Monday, June 15, 2015, one of the password management services we mentioned in that earlier post, LastPass, notified its users that it had “discovered and blocked suspicious activity” on its service. While the service indicated that no passwords or “encrypted user vault data” were taken, it did report that email addresses used to send out password reminders were compromised.

As can be expected, online coverage of the breach tended to be shrill and indicate that every user’s passwords to everything had been stolen. That was not the case.

A simple overview of what happened: The core service provided by LastPass was not compromised. However, criminal hackers were able to obtain email addresses that could potentially be used in attempts to encourage users to provide them with account-holder master passwords. The most obvious strategy would be sending out an email to users that appears to be from LastPass (phishing) seeking master passwords. Such email would likely encourage users to provide sensitive data like passwords to a representative of the company.

Why using a password management service is still wise

While it failed to prevent a breach of its system, the hack did provide an opportunity to again explain how a password management service is different from other methods. The most important difference is that a user’s “master password” is not stored by the service. It is stored on the user’s device. Obtaining access to user “password vaults” would require a much higher degree of sophistication.

The way in which password management services are still not 100 percent hacker-proof

Password management services help prevent two major security problems. They provide a way to avoid using the same password on multiple accounts. They provide the means to use more complex and highly encrypted passwords.

When a user can have dozens of accounts that require passwords, the temptation to use the same password on multiple accounts is too tempting to pass up. But nothing is 100 percent. Not even the most secret information about federal employees can be protected. Adding levels of difficulty for the hacker to deal with can serve as encouragement for the hacker to move on to someone else’s insecure data.

Protect your master password

From LastPast comes this advice that is true for any password service: “Never, ever disclose your master password or any confidential information, even to someone claiming to work for (the service).” Also, if you don’t already understand and use “two-step verification” on your most sensitive accounts, see, “What is Two-Step Verification and Why You Should Start Using Them.”

15
Advice From Google on Avoiding Scams Directed at Small Businesses

A wide range of warnings for avoiding scams from con-artists claiming to be from Google.

16
More Tips for Actively Managing Your Passwords

More helpful tips and ideas for managing your passwords.

17
What Small Business Customers Should Know and Do About the JPMorgan Chase Cyberattack

From the bank’s SEC filing and information provided on Chase.com, this is what is currently known about the cyberattack and what the bank is recommending to its customers.

18
How Hackers Use ‘Social Engineering’ and How to Prevent It

Following the recent wave of celebrities having online accounts hacked, here is an explanation of “social engineering,” part of the method the cyber criminals likely used.

19
Ten Tips From the FCC for Improving Your Small Business Cyber Security

Ways to improve your small business cyber security from the U.S. Federal Communications Commission.

20
Password Protection Advice from SmallBusiness.com

Username and password protection is an ongoing requirement for small businesses. Here is a roundup of helpful advice on internet security and password management that has appeared recently on SmallBusiness.com

21
Ebay Asks 145 Million Users to Change Passwords

Ebay is asking its 145 million users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords “and other non-financial data.”

22
What is Two-Step Verification and Why You Should Start Using Them

It’s incredibly easy and fast to use a two-step verification method to protect your online accounts. Here’s how they work and why you should use them.

23
How (and Why) to Use a Password Management Application

A lock on your front door doesn’t do you any good if you keep the key under the mat, just like the best security on the web won’t protect you if you have the same bad password on every site you visit.

24
How to Reduce the Odds of Being Hacked While Using Public Wifi

Getting in a solid work session at the local coffee shop may be a tempting idea, but it has its risks. Like getting your personal information stolen because you were careless on a public network.