Recently – on may 4th – the people at lastpass.com informed their customers on a "possible" breach of their systems. In their words:
We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.
We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.
Please mind the second sentence of their statement. Even though at that time the lastpass team was not yet certain of an actual breach having been successful, they forced everyone to change their master password. As a result, the blob of digital gibberish containing your encrypted password vault is turned into a new blob of digital gibberish before being sent to lastpass again.
Basically in their blog, lastpass people admitted that they did not know exactly what happened yet, but were in the process of investigating further. As a precaution users were asked to change passwords and several security measures that were planned were deployed ahead of the planned target.
Why do I think is important?
- LastPass stores critical data (passwords an sensitive data) for their users. Still they communicated clearly, immediately and as far as I can judge correctly about the incident, although the potential damage to their image can be significant.
- Lastpass indicated they took immediate action, and explained what measures where already taken, and were being planned to be implemented in the near future.
- Through several updates lastpass explained issues that ensued when every lastpass user tried to change his/her master password.
Ever since the apache incident of september 2009, I see a tendency in the internet community to communicate more openly over possible security breaches. This is a trend we can only applaud. It builds trust, it confronts users with reality of the dangers on the internet and in that way can build awareness towards a more secure information/internet/computer usage.
The people at Lastpass.com took control of the information that was being released about the incident, so that they could inform their customer base and the community at large in a timely manner with correct facts as they unfolded. Not communicating about such an incident in my view would be more damaging that communicating openly and correctly about it. Everyone makes mistakes – even infosec people – and some mistakes are more costly than others. No or incomplete communication, in my opinion, is a grave mistake.
Kudos to the people at lastpass.com
Do you agree with my view on the incident and the handling by lastpass.com? Please discuss in the comments.