Live Chat Software

Learn How LastPass Got Through the Heartbleed Information Security Incident Unscathed

temp-post-image

For information technology companies unaffected by the OpenSSL bug Heartbleed, managing the information security incident was simple. Here at Quorum, we knew we were safe, but checked our systems anyway to be certain. Once our testing was complete, we issued a statement letting our users know they need not worry. But for companies that used OpenSSL software and were therefore vulnerable, it was another matter. And, of all the responses we saw to this information security incident, LastPass gets the award for the swiftest, most detailed, and most helpful response. Here’s what technology companies can learn from LastPass about managing an information security incident.

Get There Fast

The bug was revealed late April 7 and LastPass was on the case early the next day, announcing that it did in fact use OpenSSL, but that its customers need not worry. LastPass was able to confidently announce, “In summary, LastPass customers do not need to be concerned about their LastPass accounts. Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys.”

Be Transparent

I love how LastPass used its blog to reassure customers and to explain how Heartbleed worked, what the company did to close the vulnerability, and why customers were not affected. The company explained not only the actions taken in this information security incident, but also when they were taken. LastPass even detailed the “perfect forward secrecy” security used by the software to keep customer information safe. By providing this information, LastPass took a potential public relations nightmare and turned it into a marketing triumph.

The company’s response to the bug was so effective that 125,000 new users signed up with LastPass in the week after the OpenSSL flaw was made public. That’s 90,000 more users than it would gain in a typical week. The company’s founder, Joe Siegrist, told Mashable, “It’s definitely good for business, which is a paradox. Do I want it to happen like this? No, I don’t. But if any good can come out of it…” But the good didn’t come from the bug, it came from LastPass’s response to the problem.

Listen to Your Customers

Last pass was incredibly agile when it came to addressing user concerns and complaints. One user stopped by just to comment, “JUST WHAT I expected from you – clear, accessible, timely, and COMFORTING information! Thanks, and GLAD to be a Premium Customer for the crazy fee of $1 per month.”

By contrast, Mint.com users were frustrated by the company’s lack of transparency. One community board member spelled out the concerns of users very clearly and still received unclear responses from the company:

“You say there’s no evidence that customer data was affected, but the Heartbleed bug leaves no logs, so that is not re-assuring at all
You’ve said before that Mint servers are being updated, which suggests that it was exposed. If this is the case, have you gotten new SSL certificatess[sic]? (this is extremely important see next point)
Even if I take a personal precaution and change my Mint and bank account passwords, if a hacker stole your cert at any time and you haven’t gotten a new one, all my accounts are STILL vulnerable no matter how many times I change the password. This is because they basically have a permanent back door into Mint until you get a new SSL cert.
Basically, if you don’t answer the following questions, we have no choice but to STOP USING MINT FOREVER in order to secure ourselves. 1. Was Mint EVER vulnerable to the heartbleed bug (which has existed for 2 years) 2. If so, has the SSL cert been revoked and a new one acquired?”
At this point, no matter what Mint says, users won’t believe them. They have tried to clarify that the company was unaffected by the bug, but trust has already been shattered. Had Mint offered clear answers to the questions of its community members right away, the company wouldn’t be in this uncomfortable position. Mint shows us exactly what you should NOT do in an information security incident like this one.

Offer a Helpful Response

Besides being swift and transparent, LastPass went further than anyone in helping its customers remain secure, both technically and emotionally. After notifying users of the Heartbleed effects and remediation steps taken, LastPass developed a tool that let its users check for vulnerable sites in their “vault,” a list of website data managed by the software.

Being a longtime user, I had the reassuring experience of quickly scanning my websites and seeing which sites were vulnerable to the bug and which sites had been patched. I was able to change my passwords on patched sites in about 15 minutes. The tool made my response to the information security incident much easier. I only had to remind myself to check again in a few days for the sites that had not yet patched their systems. Brilliant!

But you didn’t have to be a customer to benefit from LastPass’s response either. The company created a Heartbleed checker that anyone could use to check on a site for vulnerability to the bug. Surely, this one simple step was largely responsible for the hordes of users that rushed to sign up for the service.

For information technology companies unaffected by the OpenSSL bug Heartbleed, managing the information security incident was simple. Here at Quorum, we knew we were safe, but checked our systems anyway to be certain. Once our testing was complete, we issued a statement letting our users know they need not worry. But for companies that used OpenSSL software and were therefore vulnerable, it was another matter. And, of all the responses we saw to this information security incident, LastPass gets the award for the swiftest, most detailed, and most helpful response. Here’s what technology companies can learn from LastPass about managing an information security incident.

Get There Fast

The bug was revealed late April 7 and LastPass was on the case early the next day, announcing that it did in fact use OpenSSL, but that its customers need not worry. LastPass was able to confidently announce, “In summary, LastPass customers do not need to be concerned about their LastPass accounts. Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys.”

Be Transparent

I love how LastPass used its blog to reassure customers and to explain how Heartbleed worked, what the company did to close the vulnerability, and why customers were not affected. The company explained not only the actions taken in this information security incident, but also when they were taken. LastPass even detailed the “perfect forward secrecy” security used by the software to keep customer information safe. By providing this information, LastPass took a potential public relations nightmare and turned it into a marketing triumph.

The company’s response to the bug was so effective that 125,000 new users signed up with LastPass in the week after the OpenSSL flaw was made public. That’s 90,000 more users than it would gain in a typical week. The company’s founder, Joe Siegrist, told Mashable, “It’s definitely good for business, which is a paradox. Do I want it to happen like this? No, I don’t. But if any good can come out of it…” But the good didn’t come from the bug, it came from LastPass’s response to the problem.

Listen to Your Customers

Last pass was incredibly agile when it came to addressing user concerns and complaints. One user stopped by just to comment, “JUST WHAT I expected from you – clear, accessible, timely, and COMFORTING information! Thanks, and GLAD to be a Premium Customer for the crazy fee of $1 per month.”

By contrast, Mint.com users were frustrated by the company’s lack of transparency. One community board member spelled out the concerns of users very clearly and still received unclear responses from the company:

“You say there’s no evidence that customer data was affected, but the Heartbleed bug leaves no logs, so that is not re-assuring at all
You’ve said before that Mint servers are being updated, which suggests that it was exposed. If this is the case, have you gotten new SSL certificatess[sic]? (this is extremely important see next point)
Even if I take a personal precaution and change my Mint and bank account passwords, if a hacker stole your cert at any time and you haven’t gotten a new one, all my accounts are STILL vulnerable no matter how many times I change the password. This is because they basically have a permanent back door into Mint until you get a new SSL cert.
Basically, if you don’t answer the following questions, we have no choice but to STOP USING MINT FOREVER in order to secure ourselves. 1. Was Mint EVER vulnerable to the heartbleed bug (which has existed for 2 years) 2. If so, has the SSL cert been revoked and a new one acquired?”
At this point, no matter what Mint says, users won’t believe them. They have tried to clarify that the company was unaffected by the bug, but trust has already been shattered. Had Mint offered clear answers to the questions of its community members right away, the company wouldn’t be in this uncomfortable position. Mint shows us exactly what you should NOT do in an information security incident like this one.

Offer a Helpful Response

Besides being swift and transparent, LastPass went further than anyone in helping its customers remain secure, both technically and emotionally. After notifying users of the Heartbleed effects and remediation steps taken, LastPass developed a tool that let its users check for vulnerable sites in their “vault,” a list of website data managed by the software.

Being a longtime user, I had the reassuring experience of quickly scanning my websites and seeing which sites were vulnerable to the bug and which sites had been patched. I was able to change my passwords on patched sites in about 15 minutes. The tool made my response to the information security incident much easier. I only had to remind myself to check again in a few days for the sites that had not yet patched their systems. Brilliant!

But you didn’t have to be a customer to benefit from LastPass’s response either. The company created a Heartbleed checker that anyone could use to check on a site for vulnerability to the bug. Surely, this one simple step was largely responsible for the hordes of users that rushed to sign up for the service.

Stay on Top of It

After handling the first day of the information security incident gracefully, LastPass wisely continued to update the public on the status of its progress with Heartbleed. The company updated its blog the evening of April 8 to tell users about the tool it created to let users check their LastPass managed sites for the vulnerability. The next day, the blog informed users of a new alert feature that would inform them automatically about vulnerable sites. And on April 10, LastPass posted an update with a clear and level-headed response, simply to reassure those who expressed ongoing concerns about the information security incident.

Avoid Problems in the First Place

No company wants to face an information security incident like this one. But if you must, take a few lessons from LastPass on how you can keep customers happy and maybe even use the crisis to boost your reputation and sales. LastPass was smart to keep redundant security systems in place that allowed the company to come out of this crisis unscathed and even ahead of the game. For companies relying on data that do not operate in the information security sector, the focus should be on keeping your data both secure and intact. Use Quorum’s range of backup and disaster recovery products to help your company avoid data disruptions and loss, helping you keep ahead of problems the way LastPass did.

After handling the first day of the information security incident gracefully, LastPass wisely continued to update the public on the status of its progress with Heartbleed. The company updated its blog the evening of April 8 to tell users about the tool it created to let users check their LastPass managed sites for the vulnerability. The next day, the blog informed users of a new alert feature that would inform them automatically about vulnerable sites. And on April 10, LastPass posted an update with a clear and level-headed response, simply to reassure those who expressed ongoing concerns about the information security incident.

Avoid Problems in the First Place

No company wants to face an information security incident like this one. But if you must, take a few lessons from LastPass on how you can keep customers happy and maybe even use the crisis to boost your reputation and sales. LastPass was smart to keep redundant security systems in place that allowed the company to come out of this crisis unscathed and even ahead of the game. For companies relying on data that do not operate in the information security sector, the focus should be on keeping your data both secure and intact. Use Quorum’s range of backup and disaster recovery products to help your company avoid data disruptions and loss, helping you keep ahead of problems the way LastPass did.

 

 Global Headquarters

QuorumLabs, Inc.

2890 Zanker Road

San Jose, CA 95134

Toll Free: +1-877-997-8678

Phone: +1-408-708-4500

US Sales: info@quorum.net

Support: support@quorum.net

UK/EMEA/APAC: uksales@quorum.net

 

 

Contact Us

Please provide the required field.

Enter both words below, separated by a space

Please enter the words or numbers you hear

Can't read the words below? Try different words or an audio captcha

This is a standard security test that we use to prevent spammers from submitting fake response More Help