Comment by TZubiri
7 hours ago
>“On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems,”
The specific dependency that gets companies infected, and the optics that result, are so important. There have been sillier examples, but you can see how in this case, the priority of sales and profits has resulted in the sacrifice of the main quality measure of their main and only product.
“ the priority of sales and profits has resulted in the sacrifice of the main quality measure of their main and only product”
What do you mean exactly here What do you think LastPass could have done to prevent this specific issue?
Did they need to give them all of this?
customer names, phone numbers, email addresses, physical addresses, support case data, sales-related data.
Generally yes, if you want to use a Customer Relationship Management system like Salesforce. Customer names, contact information, and info about what they bought from you is table stakes data for CRM is it not?
Bitwarden doesn't redirect you to a third party if you visit their support page:
https://bitwarden.com/help/
But LastPass does (Salesforce CNAME):
https://support.lastpass.com/s/?language=en_US
So this couldn't have happened to bitwarden, you own the reputation loss if any of your suppliers get owned. Though it really doesn't matter anymore for LastPass they leaked their customers vaults before, I have no idea how they can still be in business.
Not supply the information to any other company.
Not installing the infected package of course.
It's worth noting that this is not 'their marketing provider' what they do is load 30 different providers for some reason, to maximize the reach of their data sharing and advertising network. Well, their network reached too far and touched an infected node.
You have no idea what Klue is
> the priority of sales and profits has resulted in the sacrifice of the main quality measure of their […] product
To be fair, and I don’t want to, supposedly the only thing that was compromised was contact info. No vaults were exfiltrated or unlocked (as far as the article info goes).
So this is really just another very boring info breach, not a targeted password-stealing hack.
The other breaches they suffered were worse.