Today we began proactively resetting some LogMeIn users’ passwords. So we wanted to let both these users and the rest of our customer base understand why. The short version is these users’ credentials were on a list making the rounds on the web — credentials taken from high profile breaches at companies like LinkedIn, Tumblr and MySpace. Here’s a bit more.
As you may have seen in the news, lists of hundreds of millions of user credentials taken from past breaches (mostly at social networks) are now being used for a variety of recent nefarious activity on high profile sites like Netflix and Facebook.
LogMeIn actively looks for situations where the accounts of our users could be at risk—even if the threat is external to our service. In this particular case, we identified users who may be at risk because of password reuse. Out of an abundance of caution, we proactively reset those users’ LogMeIn passwords.
What other steps have we taken?
In addition to proactively disabling the passwords, we have notified these accounts via email. Next time they attempt to log in, they will be put into an automated reset password flow.
What steps can users take?
Here are some best practices, which we recommend whether or not your account was affected.
- Never use the same password across different online services, applications and websites.
- Regularly change passwords for both your computers and your online accounts. For future, you can reset your LogMeIn password here .
- Use a password manager (we highly recommend LastPass).
- Always be vigilant to avoid phishing attempts. Here’s a quick primer .
- Enable 2-step or 2-factor authentication on your online services and applications, if it is offered. Here’s how you can turn on 2-step authentication for your LogMeIn account
Additionally, here’s a recent post from our security experts at LastPass with steps you can take to protect yourself should you end up on such lists.