What Happens When Your Password Protector is Hacked?

What do you do when the service you trust to protect your passwords is possibly hacked?  LastPass users just found out.  What exactly happened?

Web users who manage and store their passwords through password management service LastPass were left scrambling, scratching their heads and forced to change their master passwords earlier this week after the site discovered an internal issue that raised the likelihood of a possible security breach.

Now, just a few days removed, the company’s CEO, Joe Siegrist, has revealed more details about the incident and tried to calm worried customers who placed their trust, and private details, with the company.

In a blog post on Wednesday, LastPass told users it first noticed a network traffic irregularity on Tuesday morning and decided to research the irregularity further after it was unable to find a cause for the problem.

“After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server),” the blog post noted.

Without a cause or reason for the irregularity, the company made the decision to assume the worst case scenario, that some of its data had been hacked.

But on Thursday, in an interview with PC World, CEO Joe Siegrist admitted he may have been too “alarmist” in warning customers of the potential security breach.

Siegrist explained that he doesn’t think a lot of data would’ve been hacked, but just enough to capture a small number of user names and passwords.

LastPass is a service that lets users store their usernames, passwords and form-fill data online so that they need to only remember one master password for logging in.  The service, with both free and fee-based services, then automatically fills in the information when the user visits a site where it is required.

But even with that protection, the standard rule of password making – make it complex and different – still applies.

LastPass urges users to use complex, non-dictionary passwords and users who heed that advice are now in safer hands, according to Siegrist.

Siegrist said that even with the potential breach, users with a strong master password have no reason to worry.  It’s the people with weaker passwords who could be a bit more at risk.

So what is an at-risk user to do?

LastPass is advising users with weak passwords to replace their master password with a strong one and also replace their individual passwords on critical accounts like e-mail and banking.

The company is now, Siegrist told PC World, also forcing users to prove that they’re coming from a known IP address and have access to their e-mail.

As the investigation continues, LastPass is also providing updates on the situation through its ongoing blog, and security research firm Duo Security has advice for users on its own blog.

You can also check out our ‘7 Tips for Safer Social Networking Passwords’ here.