LastPass Disclosure Shows Why We Can't Have Nice Things

A few days ago, LastPass announced they would be forcing their users to change their master passwords in response to what was essentially “something weird”:

We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

In this case, we couldn’t find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed.

LastPass acted exactly like we wish most companies would act: responsibly. And the media’s response? Declaring LastPass “hacked” and “vulnerable”, and placing them in the same category as Sony—who definitely were hacked—with sensationalist headlines like:

  • WARNING: Your Web Browser’s Master Password May Have Been Stolen – Change It Now
  • LastPass Has Been Hacked And Asking Everyone To Change Their Master Passwords
  • LastPass Hacked, Change of Master Password Urgent
  • LastPass Is Hacked – Change Your Master Password, But Don’t Panic
  • Should the LastPass, Sony hacks make you fear storing data in the cloud?

LastPass announced nothing more than that their recent statistics looked strange, and because of that they wanted to stay on the safe side just in case there was a breach—although that was unlikely—and the press responded exactly as it would if LastPass had been caught trying to cover up a certain leak.

(In the worst case scenario, a breach of LastPass’ data would reveal nothing more than master password hashes that are virtually uncrackable if the original password has just minimal complexity. Everything else, including information about individual websites and passwords, would be nothing more than an encrypted blob, the contents of which are inaccessible without the original password.)

You can argue if it’s wise to store your passwords online, but at least treat the few companies who act right right.

By acting the way they were supposed to, LastPass only hurt themselves — and that’s why we can’t have nice things.