LastPass, a password manager service that allows users to rely on a single master password to access all their online accounts, says hackers may have penetrated its database and made off with information on some 1.25 million customer accounts.
Although the company says it's still trying to determine if its servers were indeed hacked, it's playing it safe by operating under a worst-case scenario.
"We've chosen to assume the worst as we haven't found definitive evidence," CEO Joe Siegrist told Consumer Ally. "If we assume the worst, then potentially some data on all users could have been accessed."The Vienna, Va., company, which touts its service by promising users "The Last Password You'll Ever Have to Remember," employs encryption technology to protects passwords only users can access.
No one at LastPass, the company says, has access to sensitive customer data, and the company never asks for -- or stores -- master passwords, reducing the threat from potential attacks.
"We use firewalls and best practices to protect the servers and service, but our best line of defense is simply not having access to data even if someone got in," the company notes on its site. "If LastPass can't access it, hackers can't either."
In a security notification posted on the LastPass blog, the company alerted users to an issue it described as a "network traffic anomaly," adding, "because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed."
The notification went on to say that users with strong, non-dictionary based passwords or phrases shouldn't be affected at all. Strong passwords, as opposed to weak ones, comprise 12 or more letters, numbers, symbols and changes in case to make them more difficult to guess than names or common words.
The potential threat, the company noted, is "brute forcing" your master password using dictionary words, then going to LastPass with that password to get your data, noting that not everyone opts to choose a strong password that's immune to such attacks.
Siegrist underscored the fact that apart from user emails, all other information on LastPass servers are protected and only accessible to users, including encrypted password hints and hashed master passwords
"The hashed master password is essentially useless except if you have a very weak master password. Even then, the steps we've taken will protect all users," Siegrist says. "There's a potential threat if you both use a weak master password and use that same password on other sites; we'd recommend changing those passwords."
The LastPass incident marks the latest in a series of high-profile hacking episodes that have resulted in the theft of personal information from hundreds of millions of consumers.
Recent cases involving massive hacks include 100 million users of the SonyPlayStation Network, 20 million users of TripAdvisor and untold millions of consumers regularly contacted by Epsilon, the world's largest email marketer, which sends out more than 40 billion emails annually on behalf of corporate clients.
LastPass May Have Been Hacked