While many of us unplugged from the internet over the holidays to spend time with loved ones, LastPass, the maker of a popular security program for managing digital passwords, delivered a most unwanted gift.  It recently published details about a security breach in which cybercriminals obtained copies of customers’ password vaults, potentially exposing millions of people’s online information. From a hacker’s point of view, this is equivalent to hitting the jackpot. When you use a password manager like LastPass or 1Password, it stores a list containing all the usernames and passwords for the sites and apps you use, including banking, healthcare, email, and social networking accounts Huh. It keeps track of that list, called a vault, in its own online cloud so you can easily access your passwords from any device. LastPass said the hackers stole a copy of the list of usernames and passwords for each customer from the company’s servers. This breach was one of the worst things that could happen to a security product designed to take care of your passwords. But besides the obvious next step — to change all your passwords if you used LastPass — there are important lessons we can learn from this debacle, including that security products are not foolproof, especially when they Store our sensitive data in the cloud. First, it’s important to understand what happened: The company said the intruders gained access to its cloud database and a copy of the data vault containing millions of customers using credentials and keys stolen from a LastPass employee. LastPass, which published details about the breach in a blog post on December 22, attempted to reassure its users that their information was likely to be secure. It said that some parts of people’s vaults – such as the website addresses for sites they logged into – were unencrypted, but sensitive data including usernames and passwords were encrypted. This shows that hackers can know the banking website that someone uses but do not need the username and password to log into that person’s account. Most important, the master password that users set to unlock their LastPass vaults was also encrypted. This means hackers would have to crack the encrypted master password to get to the rest of the passwords in each vault, which would be difficult to do as long as people used a unique, complex master password. LastPass CEO Karim Touba declined to be interviewed but wrote in an emailed statement that the incident demonstrated the strength of the company’s system architecture, which he said kept sensitive Vault data encrypted and secure. Is. He also said that it was the users’ responsibility to “practice good password hygiene”. Many security experts disagreed with Mr. Touba’s optimistic spin, saying that every LastPass user should change all of their passwords. “It’s very serious,” said Sinan Eren, an executive at security firm Barracuda. “I think all those managed passwords have been compromised.” Casey Ellis, chief technology officer at security firm BugCrowd, said it was important that the intruders had access to lists of website addresses that people used. “Let’s say I’m following you,” said Mr. Ellis. “I can see all the websites you have saved information for and use that to plan an attack. Every LastPass user has that data now in the hands of an adversary. We can all learn from this breach to stay safe online. While many of us unplugged from the internet over the holidays to spend time with loved ones, LastPass, the maker of a popular security program for managing digital passwords, delivered a most unwanted gift. It recently published details about a security breach in which cybercriminals obtained copies of customers’ password vaults, potentially exposing millions of people’s online information. From a hacker’s point of view, this is equivalent to hitting the jackpot. When you use a password manager like LastPass or 1Password, it stores a list containing all the usernames and passwords for the sites and apps you use, including banking, healthcare, email and social networking accounts Huh. It keeps track of that list, called a vault, in its own online cloud so you can easily access your passwords from any device. LastPass said the hackers stole a copy of the list of usernames and passwords for each customer from the company’s servers. This breach was one of the worst things that could happen to a security product designed to take care of your passwords. But besides the obvious next step — to change all your passwords if you used LastPass — there are important lessons we can learn from this debacle, including that security products are not foolproof, especially when they Store our sensitive data in the cloud. First, it’s important to understand what happened: The company said the intruders gained access to its cloud database and a copy of the data vault containing millions of customers using credentials and keys stolen from a LastPass employee. LastPass, which published details about the breach in a blog post on December 22, attempted to reassure its users that their information was likely to secure. It said that some parts of people’s vaults – such as the website addresses for sites they logged into – were unencrypted, but sensitive data including usernames and passwords were encrypted. This shows that hackers can know the banking website that someone uses but do not need the username and password to log into that person’s account. Most important, the master password that users set to unlock their LastPass vaults was also encrypted. This means hackers would have to crack the encrypted master password to get to the rest of the passwords in each vault, which would be difficult to do as long as people used a unique, complex master password. LastPass CEO Karim Touba declined to be interviewed but wrote in an emailed statement that the incident demonstrated the strength of the company’s system architecture, which he said kept sensitive Vault data encrypted and secure. Is. He also said that it was the users’ responsibility to “practice good password hygiene”. Many security experts disagreed with Mr. Touba’s optimistic spin, saying that every LastPass user should change all of their passwords. “It’s very serious,” said Sinan Eren, an executive at security firm Barracuda. “I think all those managed passwords have been compromised.” Casey Ellis, chief technology officer at security firm BugCrowd, said it was important that the intruders had access to lists of website addresses that people used. “Let’s say I’m following you,” said Mr. Ellis. “I can see all the websites you have saved information for and use that to plan an attack. Every LastPass user has that data now in the hands of an adversary. We can all learn from this breach to stay safe online. More details can be found on OUR FORUM.