Comment by jagged-chisel
7 hours ago
How does anyone seriously trust LastPass anymore? Years ago, I was working for a company handling bank data. They were using LP immediately following a previous LP security incident and had no plans to migrate away.
If the passwords are still not known, the "breach" is not a fail for the end user. If the master password to the vault is secure, and the only way to the vault is still only through the master password, it's still doing what the end user wants it to do. "Breach" is meaningless without qualifiers.
A lot of people and orgs don't use security products for security. They use them for security theater. A vast majority of people, even many security people, will never hear about this breach. So LastPass still works great for them.
I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.
With something like LastPass it's also much easier to create unique strong passwords for other sites.
Also, let's be real:
> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already. This has nothing to do with the security of your passwords stored in LP. They have some CRM, some person from their 800 employees clicked a sketchy link and it leaked that. It's not good, but its hardly an indictment of their product or usefulness
> I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.
> With something like LastPass it's also much easier to create unique strong passwords for other sites.
Sure, but LastPass, in addition to being the least secure option, doesn't even have a good user interface, and it's expensive. There are dozens of other password managers out there, each one better than LastPass in every way.
3 replies →
> I'm pretty sure 99% of the people on exposed have already had their
Right, but LastPass is a company that wants to make you believe that you can trust them with some of your most important assets.
--
Probably related to this:
https://www.bleepingcomputer.com/news/security/lastpass-conf...
“On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems,” LastPass says.
"We immediately launched an investigation and learned that, as part of this incident, an unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass.”
“The threat actor then used these credentials to access LastPass customer data within our Salesforce environment.”
1 reply →
1Password checks all these boxes and hasn't yet had a data breach.
Their biggest security hole is probably somewhere in the operational pipeline between 1P browser client developers and the static file servers hosting them.
2 replies →
> I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.
Yeah but wanting a product like LastPass doesn't require that you use LastPass. There are many good alternatives.
3 replies →
When their CRM and support systems are improperly secured, it doesn't bode well for the security of their vaults. When attackers infiltrate one system, it's easier to laterally move to other systems.
Also, their marketing systems are also a mess. I've unsubscribed from their marketing emails multiple times, but to date I'm still getting marketing emails from them even though I'm no longer a customer. Even contacting their support about this issue hasn't helped.
1 reply →
> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already. This has nothing to do with the security of your passwords stored in LP. They have some CRM, some person from their 800 employees clicked a sketchy link and it leaked that. It's not good, but its hardly an indictment of their product or usefulness
Would you be okay will a public database of all people's names, emails, addresses, phone numbers, and other contact details? After all, most people's data have already been leaked somewhere. Credit reporting agencies have leaked more sensitive data. I, for one, still expect companies to keep my private data private. Especially companies who's started purpose is to keep my secrets secret. It's a bad look for them and if I trusted them this would make me lose my trust in them. But, they already lost my trust two or three (I lost count) breeches ago.
6 replies →
> I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.
What you are describing is a password manager. No one here is questioning why people would use a password manager. That's like asking why people would use a toothbrush. The question is why anyone would use LastPass as their password manager.
> Also, let's be real:
> > The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already.
I'm sorry to put it so bluntly, but this comment strikes me as really baffling.
LastPass has a very long history of breaches, some of them very severe with a big fallout. It's at the point where the yearly LastPass breach has become a meme just like the yearly T-Mobile breach. It makes no sense whatsoever to look at this incidence without that context and to claim "it's not that bad, they only leaked xyz".
On another note, of course does a breach tell something about the security practices of a password manager company. You really want the developer of your password manager to have good security practices and any sign to the contrary is concerning even when it is not directly related to the core product. Of course security is not about absolutes and mistakes and incidents do happen – what counts is how, how is dealt with them and if they repeat. In the case of LastPass history, including this breach, shows that they have atrocious security and you do not want to let your credentials get any millimeter closer to them than you can possibly avoid.
> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already.
Again, I'm sorry for being so direct, but this argument annoys me greatly: This argument – that others have done similar bad already and similar harm has already been done – is beyond stupid and needs to die. It's why slippery slopes are real. It's the reason why normalization of bad things happen. It's what people with bad intentions continuously use with great success to slowly make their bad deeds socially acceptable.
When my neighbor dumps his trash on the street that does not allow me to do the same and does not make it any better if I do. I will be just as much in the wrong as him. The only difference being – when I use that excuse – that I will also be a coward.
The wrongdoing of others is never an apology to do the same; and just because something bad is normal does not make it any better and it is especially not an argument for making it even worse.
Well, these types of companies typically carry cyber incident insurance. If there was, say, a ransomware attack, the carrier is going to bring in a forensic team to investigate. If it is determined that there was negligence, like not patching a system, that will be used to deny a claim. This might be a little different from the lastpass situation in that it's an untrustworthy vendor, but there's still significant exposure.
If this bank were my client, I would make sure that the decision-makers were aware.
This.
If you want to be a security vendor reseller, just make sure to sell to orgs that have a compliance requirement, either by law or similar.
Do you sell firewalls? sell them to banks or something. Anti-malware endpoints? Insurances too. SIEMs? payment gateways for their PCI DSS environments.
Price it just below what would be the fine for not complying, that way you maximize the invoice.
I stopped playing the security vendor reseller game because it got too boring this way to make money.
And it will continue until we can sue company being breached for criminal negligence. Should a single company executive be personally liable in these situations, the scale of the problem would be orders of magnitude less severe because they would spend the appropriate amount of effort to cover their damn ass.
This is it. These companies don't really care about their customer's data. Their SDLC is no more rigorous than any other SaaS product. They have junior people and (now) AI pushing code with a quick "LGTM" PR check just like everyone else.
The way to stop this is to have actual consequences for the decision makers here. You can build high-integrity software and some fields (avionics) have done it. But the organization needs to be built from the ground up to do it and nobody's going to do it if you can just get breached and offer a phony apology over and over again.
1 reply →
"We need to be able to answer an RFP that asks "do you have a comprehensive credential management system?"."
Just like a previous employer I had, on background checks. "We need to run one. We don't care what you did or didn't do, if you're doing good work for us. But some of our customers require that we have performed them."
Because procurement is hard. Changing vendors is a big undertaking for big companies. They are certainly not going to be switching vendors every time there is an incident
At some companies, "approved security vendor" just means the breach comes with procurement paperwork.
Also use them as a password manager like an advanced version of Excel that fills in the passwords for you. Security isn't part of it. I have the feeling LastPass agrees.
It is inertia. Customers are sticky, they do not switch unless they have to. If you're an enterprise, you have to go through establishing a new vendor relationship, onboarding a new password vault with your IT team, communicate it across the org, migrate data from the old password vault to the new password vault, etc. There is a real cost in time and resources to do this, and so, many avoid it until they have no other choice.
Lastpass is owned by PE. Why? Because Francisco Partners and Elliott Management bought a cashflow that is sticky. Its why most software companies were acquired by PE prior to the Cambrian explosion of generative AI.
Moving to another solution involves some expense and operational risk (changing procedures, increased human error rates, locking yourself out). Even though the risk of staying with the existing solution goes from "unlikely" to "possible" (so maybe from yellow/amber to red), a lot of companies rationalize it as "but now the provider will be extra careful so the likelihood is actually lower".
Crowdstrike had a famous incident and is still probably #2 in the cybersecurity world. Sometimes assessing risk is a funny business.
I worked for a big company that switched from 1password to Keeper. The transition was smooth and I do not see why it shouldn’t be as long as IT knows what they are doing.
True, but how come such risks are addressable when adding AI or opening up to yet another API or when some savings are promised with a new product/product feature?
1 reply →
If you think I'm going to try and get my mom onto a different password manager, after it took literally ten years to migrate her away from the printed list in her purse...
A printed list in her purse has certain beneficial properties that a password manager does not.
Similarly, it has certain deficits that a password manager does not.
How does anyone trust ANY third party with all their passwords and encryption keys is beyond me.
Setting up KeePassXC is trivial.
it's "trivial" in the sense of "I can launch the app in 2 minutes," but "non-trivial" in the sense of "I have a working, synced password manager across my devices with good security practices."
KeePassXC is not for a "normal" user. It really needs to get default entry tempates [1] out the door.
[1] https://github.com/keepassxreboot/keepassxc/issues/8228
I use KeepassXC, but I have no need to share passwords with other people. In a corporate situation that would probably not work as well.
Passbolt and Bitwarden can be self-hosted on top of offering the usuals pros like MFA, an API incl. integrations (e.g. https://external-secrets.io/latest/provider/passbolt/) and a better UX that does not involve syncing files between team members
E2EE done properly is why. See 1Password security whitepaper for how.
This. KeePassXC plus Google Drive client is all you need.
I’ve done a lot of security consulting work for hundreds of companies and one thing I noticed is that the companies that actually took security seriously were the ones that had been breached in the past. Until the execs and board see the dollar impact themself and not just read about it, the security program never gets the funds it needs.
I’m not saying I recommend LastPass for that reason, but I wouldn’t write them off for that reason.
But LastPass has been breached multiple times by now. I don't think they really care
There are lots of types of a “breach”. The first and second (the major ones) were likely related so more like one continuous incident. This one was a vendor breach that had access to their data so not a reflection of their security program as much as the first.
I’m not saying you’re wrong, I’m saying you can’t tell from this incident.
What happened to the old days of only getting one chance to f-up? Once chance and they should be gone permanently.
People still use Windows
The one that amazes me is Okta.
OK their Mac UX is great, but given their rate of incidents how can you trust it?
Clearly this stuff is not actually bought based on track record.
Funny I used to work in an org with Okta.
Having your own auth workflow was instant fail with the well architected framework committee. Using Okta was instant pass.
I don't necessarily disagree with that policy but given that Okta was breached several times while I was working there, it was interesting the extent to which our CSO had blinders about it.
Liability is the answer! If you build an auth system and it fails, it's your backside. If Okta fails, it's theirs. Enterprises buy products as much as they buy protection from problems.
4 replies →
As someone that is not really in the game, does Okta have such a bad track record, and are there alternatives that are considered solid? From the outside, it seemed like EntraID is a bit of a burning dumpster fire, while Okta seemed expensive, but usable and decent (from comments I read)
The current default for lazy enterprise customers seems to be an unholy tangle of Active Directory, Entra, and Okta. If you use all three it's 3x more secure, right?
1 reply →
What's the risk, and does that change by moving to an alternative?
Companies deal with leaked secrets a lot. A company already using a password manager is ahead of the game.
Suppose they move to a competitor. That's a migration and training that someone has to drive. What do they gain? Another company that can also have exploits? Or they self-host, and now have to fund that, and still potentially get exploits?
Ultimately, this likely isn't that big of a deal for a company.
And they have to weigh it up against all the other things that they can be doing.
Compare https://hn.algolia.com/?q=lastpass to basically any other password manager, like https://hn.algolia.com/?q=1password or https://hn.algolia.com/?q=bitwarden
Those companies do not have the same number and severity of security incidents. lastpass is truly in a category of its own
i'd love to switch from my lastpass family plan to... something else.
but there is a non-trivial switching cost to migrate several people (with varying technical aptitudes) that each use several platforms.
if 1password had a one-click migration flow they'd be able to win over a lot of converts.
3 replies →
I remember ten years ago telling our so-called leaders that the data will get leaked from LastPass. They were all gung-ho about it being secure blah de blah. Luckily most of us don't work there anymore.
I had one of their salesmen harassing me back in 2018 or 2019 when one of their many breeches hit. I said "this is why."
> They were using LP immediately following a previous LP security incident
“Yeah, but they fixed that!”
Normies don’t pull the historical list of breaches and vulns.
They just read headlines.