Quick to disclose
Password management company LastPass thinks that its network may have been hacked, and worries that passwords may have been compromised. It isn't sure, but it told its users anyway.
It isn't often that we see a refreshingly frank approach to security breach management, but the LastPass story stands out as a shining example of how to do it right. Recently, the company saw some unexpected traffic on its network. Normally, these bursts of traffic can be explained by little more than an unexpected user script, but in this case it could find no cause. Investigating the matter further, it found a mysterious burst of traffic between the database server managing its passwords, and another server.
Many companies may have shrugged this off, but LastPass published a blog post warning users that there may have been a compromise. It said that enough data had passed over the network to suggest that the encrypted passwords stored in the database may have been stolen.
As the passwords were encrypted, the company explained that only users who were using dictionary words (rather than passphrases or random alphanumeric strings) for their passwords would be at risk.
How refreshing it is to see a company act with transparency, responsiveness, andintegrity when dealing with a potential security breach. All too often, organizations that have been compromised take days or even weeks to release the most cursory information about a breach, which put customers at risk and which does little to build trust with people giving those companies their valuable data.
Perhaps, as we become more used to security breaches as a fact of life in technology, we will continue to mature our approach.