Well, after the tightly locked lips of Sony, RSA, and others, it’s nice to see a company being up front and honest with the users they store data for.
LassPass is a password manager which integrates with many different browsers and OSes (I haven’t really found many places it won’t run). It allows users to store passwords in a vault, which is then unlocked with a master password. The advantage to this, compared to other solutions, is that the data is then synced to their servers so that the passwords are available in all of those different places you use passwords.
Of course, the downside is that it makes them a big target. According to LastPass, all of the data in the vault is encrypted on the local machine, and then sent to their servers, so the data is encrypted even before it is sent.
But there is that master password, which of course would give an attacker the keys to the kingdom. According to a post on the LastPass blog they aren’t sure that something has actually happened, but they saw something they didn’t like (it sounds like perhaps in netflow data) and as such are now having all users reset their password to protect against the threat of someone brute forcing passwords against any stolen data.
Kudos to LastPass, as they seem to be very up front and honest about it, which is nice, given the recent history of data breaches. So, if you’re a LastPass user, looks like you will have to remember at least one new password.
LastPass blog: LastPass Security Notification
Krebs on Security: LastPass Forces Users to Pick Another Password
The H Security: Potential intrusion suspected in LastPass password service
Ghacks: LastPass Security Breach