>“On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems,”
The specific dependency that gets companies infected, and the optics that result, are so important. There have been sillier examples, but you can see how in this case, the priority of sales and profits has resulted in the sacrifice of the main quality measure of their main and only product.
> the priority of sales and profits has resulted in the sacrifice of the main quality measure of their […] product
To be fair, and I don’t want to, supposedly the only thing that was compromised was contact info. No vaults were exfiltrated or unlocked (as far as the article info goes).
So this is really just another very boring info breach, not a targeted password-stealing hack.
Generally yes, if you want to use a Customer Relationship Management system like Salesforce. Customer names, contact information, and info about what they bought from you is table stakes data for CRM is it not?
If you are selling B2B or high ticket items, sure. But these are customers of a security product. It's as silly as running the names of mcdonalds customers through an AI to find hidden sales insights
So this couldn't have happened to bitwarden, you own the reputation loss if any of your suppliers get owned. Though it really doesn't matter anymore for LastPass they leaked their customers vaults before, I have no idea how they can still be in business.
It's worth noting that this is not 'their marketing provider' what they do is load 30 different providers for some reason, to maximize the reach of their data sharing and advertising network. Well, their network reached too far and touched an infected node.
Using a password manager has 2 main tradeoffs and mistakes:
1- Tradeoff individual account risk, for systemic risk. You may argue password managers are safe, but few would argue that the risk model reduces the risk of individual password leaks more than the risk of all your passwords leaking. It's a tradeoff.
2- Cat and mouse security: There's a class of security decisions that work because they are new and different. First the weakness was that passwords were short, then you make passwords long but unmemorable, so people rely on some other mechanisms to authenticate, like a file on their computer, a drive, a fingerprint, facial recog, which may in turn be protected by a second factor password.
At first the new security model will not be stressed, but as more users migrate from one security model to the next one, that's when you are able to compare the security of both technologies, it starts being a juicy enough target that it becomes attacked.
So we are at the point where password managers are used enough that they start becoming worthwhile targets of attack (to overcome the difficulty of vulnerating them).
Also worth noting that these attacks are more winner-takes-all. In the sense that rather than seeing one account hacked every couple of hours, you will see them all hacked at once, because you introduced a vendor in the password supply chain AND because the vendor centralizes all of the passwords. So target that one vendor and from a single attack you get all the spoils. So when comparing the security of the olden method and the new, just 1 incident is enough to undo all of the reputational gains it has made over the years.
"Password manager" used to mean a program that runs locally on your computer. At some point people started making it into a SaaS, because that's more profitable.
I do think there are some cases where an online password manager makes sense, e.g. for businesses, but for individuals it's better to just stick with an offline password manager, at least for the high value accounts.
You can and should have the best of both worlds. Using Enpass, the program _is_ local, it just backs up the entire database (encrypted SQLite3) to a cloud.
But if even that is too much then f.ex. `keepass` + a scheduled script to periodically backup to your own servers is also perfectly viable.
>At some point people started making it into a SaaS, because
Wait. That's a thing? Like, there are drooling, mouth-breathing stooges out there that would trust not just one of their passwords to such a thing, but all their passwords to it?
Password managers (whether it's Lastpass or your browser's built-in password store) also protect against phishing since they tie passwords to domain names.
I don't think password managers which store encrypted vaults are less safe than trying to have and juggle strong unique-per-domain passwords, even if you think that the password manager is becoming a target.
When they work… I finally gave up on 1Password as it has been getting worse and worse about actually autofilling for a few years. After all the Avengers turned into investors and the price increase was announced, I jumped ship. It felt like they were more worried about their ROI than the product. After 18 years of use, this was pretty disappointing.
For personal use, Bitwarden + a Raspberry PI should work perfectly fine. Your devices will sync when you are home. If they get out of sync, your fallback is to password reset. Or use your browser's built-in password manager which also syncs in most cases. I prefer to be browser-agnostic since it gives an easy solution to handle non-web passwords.
> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
It's not just about long vs. short passwords. IMO the greatest benefit of having a password manager -- whether it's a bloated Electron app or just a text file on your computer -- is that it enables you to juggle hundreds of different passwords, randomly generated for each site. It's the best way we know of to limit the blast radius when (not if!) some of those sites inevitably get hacked.
We need a bitcoin hardware wallet kind of password manager, where the actual passwords are stored on a hardware security key. When you click on the computer on the password you want to use, the hardware security key shows it's name on it's screen, and asks you to press a button on it to confirm that you want to use it.
For backup, the hardware security key let's you download a file from it with all of your passwords encrypted, and the decryption password it's shown on it's screen (something like 12 random words)
the Achilles heel of a "secrets vault" is it becomes a defacto priority target. I still dont see how any reasonable person was convinced a cloud service was the best place to put all their secrets.
The problem is not the secrets vault. It's the casual acceptance of giving peoples data to third party processors. What value do last pass customers get from having their details passed on to a marketing firm? None. For all the talk of privacy and putting customers first they are acting like any other company in any other field.
How does anyone seriously trust LastPass anymore? Years ago, I was working for a company handling bank data. They were using LP immediately following a previous LP security incident and had no plans to migrate away.
A lot of people and orgs don't use security products for security. They use them for security theater. A vast majority of people, even many security people, will never hear about this breach. So LastPass still works great for them.
And it will continue until we can sue company being breached for criminal negligence. Should a single company executive be personally liable in these situations, the scale of the problem would be orders of magnitude less severe because they would spend the appropriate amount of effort to cover their damn ass.
This is it. These companies don't really care about their customer's data. Their SDLC is no more rigorous than any other SaaS product. They have junior people and (now) AI pushing code with a quick "LGTM" PR check just like everyone else.
The way to stop this is to have actual consequences for the decision makers here. You can build high-integrity software and some fields (avionics) have done it. But the organization needs to be built from the ground up to do it and nobody's going to do it if you can just get breached and offer a phony apology over and over again.
Moving to another solution involves some expense and operational risk (changing procedures, increased human error rates, locking yourself out). Even though the risk of staying with the existing solution goes from "unlikely" to "possible" (so maybe from yellow/amber to red), a lot of companies rationalize it as "but now the provider will be extra careful so the likelihood is actually lower".
Crowdstrike had a famous incident and is still probably #2 in the cybersecurity world. Sometimes assessing risk is a funny business.
True, but how come such risks are addressable when adding AI or opening up to yet another API or when some savings are promised with a new product/product feature?
> when adding AI ... or when some savings are promised
Because savings are promised. And who could say no to AI? (/s)
There's always some risk mitigation possible but it's costly or inconvenient. Companies pretend the risk is lower so they can do whatever they wanted to do but now with less accountability. The risk matrix says so.
But sometimes the tradeoff is genuinely not worth it. The bottom line is that each company has to do it's own calculations and decide whether moving is overall a better choice. Which risk is higher, that your provider is breached again or that you have new operational issues with the new solution. Which costs more, a chance of another security issue, or the guaranteed expense of replacing the solution? You do the same math at home all the time. Your washing machine leaked once, do you replace everything or just patch the hole?
I worked for a big company that switched from 1password to Keeper. The transition was smooth and I do not see why it shouldn’t be as long as IT knows what they are doing.
If you want to be a security vendor reseller, just make sure to sell to orgs that have a compliance requirement, either by law or similar.
Do you sell firewalls? sell them to banks or something. Anti-malware endpoints? Insurances too. SIEMs? payment gateways for their PCI DSS environments.
Price it just below what would be the fine for not complying, that way you maximize the invoice.
I stopped playing the security vendor reseller game because it got too boring this way to make money.
I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.
With something like LastPass it's also much easier to create unique strong passwords for other sites.
Also, let's be real:
> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already. This has nothing to do with the security of your passwords stored in LP. They have some CRM, some person from their 800 employees clicked a sketchy link and it leaked that. It's not good, but its hardly an indictment of their product or usefulness
> I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.
Yeah but wanting a product like LastPass doesn't require that you use LastPass. There are many good alternatives.
What's the solution? Don't have a CRM and store stuff about customers under lock and key? Don't give access to the CRM to any employees? More security training about clicking shady links?
I don't get how you think some other competitor would be better suited against this threat. The right solution is to mitigate the damage. CRM has minimum available stuff, like names, addresses, etc. Don't keep stuff like payment information, passwords, etc in that place as that's the vulnerable system. It seems like that's what LP does and probably every other company in this space does.
Again, it's entirely reasonable to have an off the shelf CRM, pretty broad access to it. You try to prevent phishing email or phone scams (assuming this is what it was) but you have 800 employees, its bound to happen.
Brand damage and lost of trust from customers are consequences of security breaches. I'm not saying don't have a CRM, but I am saying don't complain when the customer data in your CRM leaks and customers complain. LastPass has had several such breaches over the years, and I think people are right to say that the company has a reputation of poor security hygiene.
By all means, have a CRM. But consider that it probably doesn't need to be as broadly accessible as you think it does, and consider that the people with access to it probably need to be held to a higher standard.
> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already. This has nothing to do with the security of your passwords stored in LP. They have some CRM, some person from their 800 employees clicked a sketchy link and it leaked that. It's not good, but its hardly an indictment of their product or usefulness
Would you be okay will a public database of all people's names, emails, addresses, phone numbers, and other contact details? After all, most people's data have already been leaked somewhere. Credit reporting agencies have leaked more sensitive data. I, for one, still expect companies to keep my private data private. Especially companies who's started purpose is to keep my secrets secret. It's a bad look for them and if I trusted them this would make me lose my trust in them. But, they already lost my trust two or three (I lost count) breeches ago.
Yes, a public database like this would be acceptable. That way the info isn't paywalled behind some white pages site or similar. And then maybe I could even update my own info to be correct. Contact info is pretty much out there for most people already. Hell, I put it on my resume and send that out to many people and put it on public sites.
I am glad you want the world to know your phone number, but not everyone does.
Since we still use SMS as second factors (or primary, as some in this thread said they don't write down passwords but just use password reset links to login), it's not the best security hygiene
I agree the ship has sailed but I have no desire to make it easier for people to spam me or social engineer any of my accounts. If they want to send some crypto to some stangers on the internet to do it, I can't stop that, but I am not going to hand the info to them on a silver platter.
Where I’m from there actually were guides like this of the whole country, published once a year, I think even into the early 2000s. They stopped doing it for cost savings, but this type of information being public is considered fairly normal by many, as long as you have the ability to unsubscribe.
my ssn (usa) and my credit info (also usa) was already leaked in a data breach. i don't care about my encrypted blob in lastpass being leaked because it's computationally too expensive to crack it (assuming it's not a targeted attack with hostile nation-state level gpu capacity)
> I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.
What you are describing is a password manager. No one here is questioning why people would use a password manager. That's like asking why people would use a toothbrush. The question is why anyone would use LastPass as their password manager.
> Also, let's be real:
> > The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already.
I'm sorry to put it so bluntly, but this comment strikes me as really baffling.
LastPass has a very long history of breaches, some of them very severe with a big fallout. It's at the point where the yearly LastPass breach has become a meme just like the yearly T-Mobile breach. It makes no sense whatsoever to look at this incidence without that context and to claim "it's not that bad, they only leaked xyz".
On another note, of course does a breach tell something about the security practices of a password manager company. You really want the developer of your password manager to have good security practices and any sign to the contrary is concerning even when it is not directly related to the core product. Of course security is not about absolutes and mistakes and incidents do happen – what counts is how, how is dealt with them and if they repeat. In the case of LastPass history, including this breach, shows that they have atrocious security and you do not want to let your credentials get any millimeter closer to them than you can possibly avoid.
> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already.
Again, I'm sorry for being so direct, but this argument annoys me greatly: This argument – that others have done similar bad already and similar harm has already been done – is beyond stupid and needs to die. It's why slippery slopes are real. It's the reason why normalization of bad things happen. It's what people with bad intentions continuously use with great success to slowly make their bad deeds socially acceptable.
When my neighbor dumps his trash on the street that does not allow me to do the same and does not make it any better if I do. I will be just as much in the wrong as him. The only difference being – when I use that excuse – that I will also be a coward.
The wrongdoing of others is never an apology to do the same; and just because something bad is normal does not make it any better and it is especially not an argument for making it even worse.
> I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.
> With something like LastPass it's also much easier to create unique strong passwords for other sites.
Sure, but LastPass, in addition to being the least secure option, doesn't even have a good user interface, and it's expensive. There are dozens of other password managers out there, each one better than LastPass in every way.
Password managers are entirely a UX problem waiting to be solved better. Every time I hit a UX bug with my password manager, I mutter that I could do fix that, and then know that mine would also be worse in so many ways just to reach parity. What I wish is there was a public bug tracker of UX issues/optimizations that I, and the rest of the world, could log ideas to. Password managers are such a good idea but they all need just that much more work to be seamless.
Can you give me an example of a UX problem that you attribute to the password manager? That'd help me understand.
I often hit problems with 1Password's autofill on particular websites, but by and large I blame the website. Few examples:
* one website expects me to type the PIN then a Symantec VIP OTP token into a single field called "password". That's a (possibly deliberately) password manager-hostile design. I finally got annoyed with it enough to use an open source project called `python-vipaccess` to create a proper `otpauth://totp/...` URL I could add into 1Password and wrote a TamperMonkey script that added separate autofillable fields that would get concatenated automatically. Now 1Password works fine.
* frequently websites will complain about needing a valid credit card number after autofill. I have to go to the field, delete the last digit, add it back, tab away, then it works. I think they have just used the wrong event handlers and never tested it with autofill.
* they often will skip `autocomplete="new-password"` attributes, so my password manager will look for a (nonexistent) current password rather than prompting me for a new one, and/or they won't have the username and new password fields ever in the DOM at the same time so the password manager doesn't save it properly. (Even if it makes sense in terms of user-visible flow to do these in sequence, they can still leave the username in as a hidden form element for the benefit of the password manager.)
I've also hit UX problems in 1Password itself, for example the "quick access" pop-up doesn't reliably appear on the current Space in macOS. (Confusing and annoying to have to switch to another to see it.) But they seem less common.
These are tiny paper cuts that add up to pain, like the ones you mentioned that affect me/a tiny portion of the user base so they aren't worth fixing. Is the justification I'm sure that's being made. For example, if site auto detection that you're submitting a form fails that you laboriously have to add field elements in and if the editor is on a different workspace on mac you have to go to the application space/desktop than three finger swipe back to the browser space/desktop and then back to the application space/desktop and then back-and-forth to fill in four different security questions. Tiny stuff like that that really adds up, that make password manager usage go down.
I just hit one. Creating a new document in 1Password, the name of the document isn't preselected, so I have to hit delete to name it. Lots of little tiny shit like that.
> These are tiny paper cuts that add up to pain, like the ones you mentioned that affect me/a tiny portion of the user base so they aren't worth fixing. Is the justification I'm sure that's being made.
I think it's not only that but also that making site-specific changes (as I did with a TamperMonkey script) is fragile and could get them into trouble if their changes do the wrong thing (immediately for everyone, for some users, or after some site change). Might be better from their perspective to honor the site's stated intent even if that intent is questionable. In my top example, the "password" field actually is a password if the user hasn't enabled 2FA, so the changes I made wouldn't work for 1Password to apply to everyone. They could detect the label "PIN + Token" to gate it, but what if that text changes in a redesign or is sometimes localized into another language? and so on.
In the broadest sense, I agree there are big UX problems, but how much should we expect the password manager to do unilaterally? fwiw even when a bunch of players got together to make broader changes, we ended up with passkeys, which are far from perfect in many ways. (The flows about scanning a QR code from one device to another, without necessarily even knowing which device has a working passkey for that site... the simultaneous confusing offers of different ways of signing in... try talking your vision-impaired father through that over the phone.)
> if the editor is on a different workspace on mac you have to go to the application space/desktop than three finger swipe back to the browser space/desktop and then back to the application space/desktop and then back-and-forth to fill in four different security questions.
Yeah, that sounds similar to my own complaint about quick access opening on the wrong Space, just applied to the main window instead. And of course when you have to use the security questions something else has gone really wrong, like the main password having changed on the site without having changed in your password manager.
* One way I've seen this is when people have overlapped usage in two different password managers (1Password vs either Google Passwords or Apple Passwords). They have import and export (except for passkeys), but it'd be nice if they had an incremental version to help you get out of this mess if you weren't disciplined in switching over all at once.
* Another is that when you change the site's password even while using the password manager, the actual site change and recording it in the password manager's database is hardly transactional. You can click the password manager's update pop-up even if it failed, or not notice it even if it succeeded. Again not really sure how they would address this unilaterally.
> I just hit one. Creating a new document in 1Password, the name of the document isn't preselected, so I have to hit delete to name it. Lots of little tiny shit like that.
I can't expect them to serve every website on the Internet, but a button on 1Password that was in the context menu for the extension that was "report this site is not working 100% perfectly", and they had a team to come in and check up on the site and extract way to improve their software.
I remember another stupid annoyance. There was one site where passwords were limited to eight characters but the way they password manager entered the passwords. It passed more than the characters along as the password so the password would fail if it auto filled, but if I copy and pasted or typed it manually it would work because the JavaScript had a chance to truncate. The fact that this site was limited to eight character passwords all other conversation, but that was super annoying until I figured it out.
Anyway. I have a love/hate relationship with my password manager.
(I'm Mitch from 1Password.) I do appreciate reading about these kinds of paper cuts and always follow up on them when I see them. We are going to address the item title issue next week, so thank you for that one.
It's true that sometimes very small/simple issues that affect some portiion of people can go for a long time. I'd like to find a better way of identifying these and getting to them quicker than just crawling through HN posts. If you have any thoughts or at least issues you'd like us to look into, always open to hear more.
Thanks for the feedback. It's certainly a challenge to make 1Password work on every website that exists, and even more so to keep it working over time, especially with old items that people created years ago which no longer match the site. We do have a whole "filling and saving" team dedicated to the problem, and we do follow up when users report issues with sites.
I'd love to look into the Quick Access placement. It is supposed to appear on all spaces and sets an NSWindow property to do so. Is there anything particular that you think triggers it (multi-monitor, full screen apps, etc)?
> I'd love to look into the Quick Access placement. It is supposed to appear on all spaces and sets an NSWindow property to do so. Is there anything particular that you think triggers it (multi-monitor, full screen apps, etc)?
Thanks! I haven't seen it in a while, so maybe it's been fixed by either a 1Password or macOS update or is specific to a setting I since changed. But I'll keep my eyes out for if it happens again. I do have a multi-monitor setup.
I do see right now that if I'm on a full-screen app, 1Password's quick access window doesn't show up; if I move to the next space over I see it for a moment and then it disappears. In contrast, Spotlight search will actually pop up directly over my full-screen app, though knowing Apple they could be using some private API for this behavior.
Changing all your passwords after you switch so they aren't potentially exposed in the next LastPass break takes time and energy.
People have a lot of things going on and have to make a decision about whether the risk justifies the effort.
Then there's feature gaps. LastPass is available on all platforms, has convenient sharing, a good story for emergency recovery if I'm incapacitated and want family to get access to things, and support for 2FA options such as Yubikey. Most competitors lack at least some of those, which is an issue if you're relying on them.
Personally, I left Lastpass for 1Password several breaches ago, but it took me a couple weeks of research to decide where to move to, at least a week of changing passwords on sites afterwards, and however much time and energy it took me to help others who I share credentials with switch at the same time.
Security Best Practices change all the time. Failing to implement MFA because "it takes time and energy" and "besides we implemented 12 character, complex passwords years ago" will not be valid excuses for government regulators when they come knocking.
1Password checks all these boxes and hasn't yet had a data breach.
Their biggest security hole is probably somewhere in the operational pipeline between 1P browser client developers and the static file servers hosting them.
Unfortunately it's one of the most bug-ridden and unreliable pieces of software I've ever used. I encounter issues with it on a daily basis, but the burden of switching and a lack of superior options keeps me locked in.
I stopped paying them when they killed local valuts, and secondarily when then moved away from native apps. I drifted along on the old 7.x client for awhile with local values.
I've more or less switched to apple keychain/passwords at this point. I need a solution for linux, and have been thinking about some kind of simple 1-way sync issue that dumps stuff from keychain into some other tool for use on linux.
Curious if you have any gripes or concerns about using the Apple keychain/passwords setup. Aside from Apple devices, do you mostly also stick with Safari? Was it hard to transition things like TOTP or passkeys?
i mostly stick to firefox I do some management of moving some passwords back and forth (i'm not yet using the firefox extension for apple passwords because i just learned about it).. but because i use firefox on my phone as well.. nbd.
In terms of TOTP I just use googleauth and oathtool.
Their flow for regaining access after somehow "disauthorised" laptop, she there's an installed but unused for months plugin is one of the most infuriating.
It won't ask me for my secret key, which I have an can provide immediately, no, it won't allow me to authenticate myself with the phone, because our enterprise vault logs off quickly, I must however do a some absurdly obscure dance because FY, that's why.
Used it for years and never encountered a single bug, and I'm quite a power user with hundreds of items stored in it, shared vaults, and access multiple times per day. It's one of the few softwares I happily pay for.
Maybe it differs from platform to platform, otherwise I can't explain your comment.
It was a fantastic, fast, reliable piece of software until they sold out for VC funding and went the Electron rebuild route.
I was a paying customer for 15 years and migrated away with the last price increases due to "AI-powered functionalities" and the new features making the product worse on top of already being salty over when they stopped the one-time licenses in favor of subscription.
“On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems,” LastPass says.
"We immediately launched an investigation and learned that, as part of this incident, an unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass.”
“The threat actor then used these credentials to access LastPass customer data within our Salesforce environment.”
That's a npm supply chain attack style but next level for the Enterprise game: hack one and get access to everything of all of them since they are all unrestricted connected and with each other.
And then they force us to install cloudstrike, antiviruses and client side monitoring because "us are the security problem".
When their CRM and support systems are improperly secured, it doesn't bode well for the security of their vaults. When attackers infiltrate one system, it's easier to laterally move to other systems.
Also, their marketing systems are also a mess. I've unsubscribed from their marketing emails multiple times, but to date I'm still getting marketing emails from them even though I'm no longer a customer. Even contacting their support about this issue hasn't helped.
Assuming you are in EU you could report them to local DPA. Objection (i.e. unsubscribing. Original automatic subscription may or or may not have been legal) to direct marketing is pretty much absolute due to GDPR Article 21(2), I'm not aware of any "workaround" companies have successfully managed to argue.
In the US you can report it to FTC for CAN-SPAM violations, but don't hold your breath on any enforcement.
It is inertia. Customers are sticky, they do not switch unless they have to. If you're an enterprise, you have to go through establishing a new vendor relationship, onboarding a new password vault with your IT team, communicate it across the org, migrate data from the old password vault to the new password vault, etc. There is a real cost in time and resources to do this, and so, many avoid it until they have no other choice.
Lastpass is owned by PE. Why? Because Francisco Partners and Elliott Management bought a cashflow that is sticky. Its why most software companies were acquired by PE prior to the Cambrian explosion of generative AI.
Also use them as a password manager like an advanced version of Excel that fills in the passwords for you. Security isn't part of it. I have the feeling LastPass agrees.
Because procurement is hard. Changing vendors is a big undertaking for big companies. They are certainly not going to be switching vendors every time there is an incident
Well, these types of companies typically carry cyber incident insurance. If there was, say, a ransomware attack, the carrier is going to bring in a forensic team to investigate. If it is determined that there was negligence, like not patching a system, that will be used to deny a claim. This might be a little different from the lastpass situation in that it's an untrustworthy vendor, but there's still significant exposure.
If this bank were my client, I would make sure that the decision-makers were aware.
"We need to be able to answer an RFP that asks "do you have a comprehensive credential management system?"."
Just like a previous employer I had, on background checks. "We need to run one. We don't care what you did or didn't do, if you're doing good work for us. But some of our customers require that we have performed them."
What's the risk, and does that change by moving to an alternative?
Companies deal with leaked secrets a lot. A company already using a password manager is ahead of the game.
Suppose they move to a competitor. That's a migration and training that someone has to drive. What do they gain? Another company that can also have exploits? Or they self-host, and now have to fund that, and still potentially get exploits?
Ultimately, this likely isn't that big of a deal for a company.
And they have to weigh it up against all the other things that they can be doing.
You pretty much export your data from lastpass and import it into 1password. The only thing it doesn't do is have 1password log into your lastpass account and pull it out itself.
As someone that is not really in the game, does Okta have such a bad track record, and are there alternatives that are considered solid? From the outside, it seemed like EntraID is a bit of a burning dumpster fire, while Okta seemed expensive, but usable and decent (from comments I read)
The current default for lazy enterprise customers seems to be an unholy tangle of Active Directory, Entra, and Okta. If you use all three it's 3x more secure, right?
Having your own auth workflow was instant fail with the well architected framework committee. Using Okta was instant pass.
I don't necessarily disagree with that policy but given that Okta was breached several times while I was working there, it was interesting the extent to which our CSO had blinders about it.
Liability is the answer! If you build an auth system and it fails, it's your backside. If Okta fails, it's theirs. Enterprises buy products as much as they buy protection from problems.
e.g. when Crowdstrike takes down Windows across the worlds or AWS east coast falls over everybody hurts. At that point the story is easy, you point at the broken thing, mumble something about improving resilience, and everyone just moves on.
Roll your own system and have it taken down / breached specifically? There's noone to point at. It's hard to make the narrative anything except it being your fault.
You have (the perception of having) someone to forward the claim to once you're hit by one where the damages are quantified in money like a life insurance or disability payout caused by the data loss?
I’ve done a lot of security consulting work for hundreds of companies and one thing I noticed is that the companies that actually took security seriously were the ones that had been breached in the past. Until the execs and board see the dollar impact themself and not just read about it, the security program never gets the funds it needs.
I’m not saying I recommend LastPass for that reason, but I wouldn’t write them off for that reason.
There are lots of types of a “breach”. The first and second (the major ones) were likely related so more like one continuous incident. This one was a vendor breach that had access to their data so not a reflection of their security program as much as the first.
I’m not saying you’re wrong, I’m saying you can’t tell from this incident.
Weirdly being a security company actually can have the opposite affect. A small portion of potential customers or investors assume the company is more secure because they are a security company after all (and should be); therefore, the customer's security review are less stringent so exec can get away with smaller internal security budgets. Of course good security companys with good leadership doesn't do that... but those aren't the big companies.
Passbolt and Bitwarden can be self-hosted on top of offering the usuals pros like MFA, an API incl. integrations (e.g. https://external-secrets.io/latest/provider/passbolt/) and a better UX that does not involve syncing files between team members
https://news.ycombinator.com/item?id=48647272
Third time's the charm
The specific dependency that gets companies infected, and the optics that result, are so important. There have been sillier examples, but you can see how in this case, the priority of sales and profits has resulted in the sacrifice of the main quality measure of their main and only product.
To be fair, and I don’t want to, supposedly the only thing that was compromised was contact info. No vaults were exfiltrated or unlocked (as far as the article info goes).
So this is really just another very boring info breach, not a targeted password-stealing hack.
The other breaches they suffered were worse.
What do you mean exactly here What do you think LastPass could have done to prevent this specific issue?
customer names, phone numbers, email addresses, physical addresses, support case data, sales-related data.
https://bitwarden.com/help/
But LastPass does (Salesforce CNAME):
https://support.lastpass.com/s/?language=en_US
So this couldn't have happened to bitwarden, you own the reputation loss if any of your suppliers get owned. Though it really doesn't matter anymore for LastPass they leaked their customers vaults before, I have no idea how they can still be in business.
It's worth noting that this is not 'their marketing provider' what they do is load 30 different providers for some reason, to maximize the reach of their data sharing and advertising network. Well, their network reached too far and touched an infected node.
1- Tradeoff individual account risk, for systemic risk. You may argue password managers are safe, but few would argue that the risk model reduces the risk of individual password leaks more than the risk of all your passwords leaking. It's a tradeoff.
2- Cat and mouse security: There's a class of security decisions that work because they are new and different. First the weakness was that passwords were short, then you make passwords long but unmemorable, so people rely on some other mechanisms to authenticate, like a file on their computer, a drive, a fingerprint, facial recog, which may in turn be protected by a second factor password.
At first the new security model will not be stressed, but as more users migrate from one security model to the next one, that's when you are able to compare the security of both technologies, it starts being a juicy enough target that it becomes attacked.
So we are at the point where password managers are used enough that they start becoming worthwhile targets of attack (to overcome the difficulty of vulnerating them).
Also worth noting that these attacks are more winner-takes-all. In the sense that rather than seeing one account hacked every couple of hours, you will see them all hacked at once, because you introduced a vendor in the password supply chain AND because the vendor centralizes all of the passwords. So target that one vendor and from a single attack you get all the spoils. So when comparing the security of the olden method and the new, just 1 incident is enough to undo all of the reputational gains it has made over the years.
I do think there are some cases where an online password manager makes sense, e.g. for businesses, but for individuals it's better to just stick with an offline password manager, at least for the high value accounts.
But if even that is too much then f.ex. `keepass` + a scheduled script to periodically backup to your own servers is also perfectly viable.
Wait. That's a thing? Like, there are drooling, mouth-breathing stooges out there that would trust not just one of their passwords to such a thing, but all their passwords to it?
Sure you can self-host all of it also, but people like to pay for not having to do that.
I don't think password managers which store encrypted vaults are less safe than trying to have and juggle strong unique-per-domain passwords, even if you think that the password manager is becoming a target.
And it's not unheard of that infections metastize, whether into developer accounts, product code... Probabilistically, this was a shot on goal.
I apologize for the mixed metaphors.
For backup, the hardware security key let's you download a file from it with all of your passwords encrypted, and the decryption password it's shown on it's screen (something like 12 random words)
The way to stop this is to have actual consequences for the decision makers here. You can build high-integrity software and some fields (avionics) have done it. But the organization needs to be built from the ground up to do it and nobody's going to do it if you can just get breached and offer a phony apology over and over again.
Crowdstrike had a famous incident and is still probably #2 in the cybersecurity world. Sometimes assessing risk is a funny business.
Because savings are promised. And who could say no to AI? (/s)
There's always some risk mitigation possible but it's costly or inconvenient. Companies pretend the risk is lower so they can do whatever they wanted to do but now with less accountability. The risk matrix says so.
But sometimes the tradeoff is genuinely not worth it. The bottom line is that each company has to do it's own calculations and decide whether moving is overall a better choice. Which risk is higher, that your provider is breached again or that you have new operational issues with the new solution. Which costs more, a chance of another security issue, or the guaranteed expense of replacing the solution? You do the same math at home all the time. Your washing machine leaked once, do you replace everything or just patch the hole?
If you want to be a security vendor reseller, just make sure to sell to orgs that have a compliance requirement, either by law or similar.
Do you sell firewalls? sell them to banks or something. Anti-malware endpoints? Insurances too. SIEMs? payment gateways for their PCI DSS environments.
Price it just below what would be the fine for not complying, that way you maximize the invoice.
I stopped playing the security vendor reseller game because it got too boring this way to make money.
With something like LastPass it's also much easier to create unique strong passwords for other sites.
Also, let's be real:
> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already. This has nothing to do with the security of your passwords stored in LP. They have some CRM, some person from their 800 employees clicked a sketchy link and it leaked that. It's not good, but its hardly an indictment of their product or usefulness
Yeah but wanting a product like LastPass doesn't require that you use LastPass. There are many good alternatives.
I don't get how you think some other competitor would be better suited against this threat. The right solution is to mitigate the damage. CRM has minimum available stuff, like names, addresses, etc. Don't keep stuff like payment information, passwords, etc in that place as that's the vulnerable system. It seems like that's what LP does and probably every other company in this space does.
Again, it's entirely reasonable to have an off the shelf CRM, pretty broad access to it. You try to prevent phishing email or phone scams (assuming this is what it was) but you have 800 employees, its bound to happen.
Use any of the other password managers that don't have the poor security history that LP do.
By all means, have a CRM. But consider that it probably doesn't need to be as broadly accessible as you think it does, and consider that the people with access to it probably need to be held to a higher standard.
Would you be okay will a public database of all people's names, emails, addresses, phone numbers, and other contact details? After all, most people's data have already been leaked somewhere. Credit reporting agencies have leaked more sensitive data. I, for one, still expect companies to keep my private data private. Especially companies who's started purpose is to keep my secrets secret. It's a bad look for them and if I trusted them this would make me lose my trust in them. But, they already lost my trust two or three (I lost count) breeches ago.
Since we still use SMS as second factors (or primary, as some in this thread said they don't write down passwords but just use password reset links to login), it's not the best security hygiene
The damage is already done. Your private information was already leaked long ago. You can't make a sunk boat more wet.
better expect companies to never know your private data
What you are describing is a password manager. No one here is questioning why people would use a password manager. That's like asking why people would use a toothbrush. The question is why anyone would use LastPass as their password manager.
> Also, let's be real:
> > The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already.
I'm sorry to put it so bluntly, but this comment strikes me as really baffling.
LastPass has a very long history of breaches, some of them very severe with a big fallout. It's at the point where the yearly LastPass breach has become a meme just like the yearly T-Mobile breach. It makes no sense whatsoever to look at this incidence without that context and to claim "it's not that bad, they only leaked xyz".
On another note, of course does a breach tell something about the security practices of a password manager company. You really want the developer of your password manager to have good security practices and any sign to the contrary is concerning even when it is not directly related to the core product. Of course security is not about absolutes and mistakes and incidents do happen – what counts is how, how is dealt with them and if they repeat. In the case of LastPass history, including this breach, shows that they have atrocious security and you do not want to let your credentials get any millimeter closer to them than you can possibly avoid.
> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already.
Again, I'm sorry for being so direct, but this argument annoys me greatly: This argument – that others have done similar bad already and similar harm has already been done – is beyond stupid and needs to die. It's why slippery slopes are real. It's the reason why normalization of bad things happen. It's what people with bad intentions continuously use with great success to slowly make their bad deeds socially acceptable.
When my neighbor dumps his trash on the street that does not allow me to do the same and does not make it any better if I do. I will be just as much in the wrong as him. The only difference being – when I use that excuse – that I will also be a coward.
The wrongdoing of others is never an apology to do the same; and just because something bad is normal does not make it any better and it is especially not an argument for making it even worse.
> With something like LastPass it's also much easier to create unique strong passwords for other sites.
Sure, but LastPass, in addition to being the least secure option, doesn't even have a good user interface, and it's expensive. There are dozens of other password managers out there, each one better than LastPass in every way.
I often hit problems with 1Password's autofill on particular websites, but by and large I blame the website. Few examples:
* one website expects me to type the PIN then a Symantec VIP OTP token into a single field called "password". That's a (possibly deliberately) password manager-hostile design. I finally got annoyed with it enough to use an open source project called `python-vipaccess` to create a proper `otpauth://totp/...` URL I could add into 1Password and wrote a TamperMonkey script that added separate autofillable fields that would get concatenated automatically. Now 1Password works fine.
* frequently websites will complain about needing a valid credit card number after autofill. I have to go to the field, delete the last digit, add it back, tab away, then it works. I think they have just used the wrong event handlers and never tested it with autofill.
* they often will skip `autocomplete="new-password"` attributes, so my password manager will look for a (nonexistent) current password rather than prompting me for a new one, and/or they won't have the username and new password fields ever in the DOM at the same time so the password manager doesn't save it properly. (Even if it makes sense in terms of user-visible flow to do these in sequence, they can still leave the username in as a hidden form element for the benefit of the password manager.)
I've also hit UX problems in 1Password itself, for example the "quick access" pop-up doesn't reliably appear on the current Space in macOS. (Confusing and annoying to have to switch to another to see it.) But they seem less common.
I think it's not only that but also that making site-specific changes (as I did with a TamperMonkey script) is fragile and could get them into trouble if their changes do the wrong thing (immediately for everyone, for some users, or after some site change). Might be better from their perspective to honor the site's stated intent even if that intent is questionable. In my top example, the "password" field actually is a password if the user hasn't enabled 2FA, so the changes I made wouldn't work for 1Password to apply to everyone. They could detect the label "PIN + Token" to gate it, but what if that text changes in a redesign or is sometimes localized into another language? and so on.
In the broadest sense, I agree there are big UX problems, but how much should we expect the password manager to do unilaterally? fwiw even when a bunch of players got together to make broader changes, we ended up with passkeys, which are far from perfect in many ways. (The flows about scanning a QR code from one device to another, without necessarily even knowing which device has a working passkey for that site... the simultaneous confusing offers of different ways of signing in... try talking your vision-impaired father through that over the phone.)
> if the editor is on a different workspace on mac you have to go to the application space/desktop than three finger swipe back to the browser space/desktop and then back to the application space/desktop and then back-and-forth to fill in four different security questions.
Yeah, that sounds similar to my own complaint about quick access opening on the wrong Space, just applied to the main window instead. And of course when you have to use the security questions something else has gone really wrong, like the main password having changed on the site without having changed in your password manager.
* One way I've seen this is when people have overlapped usage in two different password managers (1Password vs either Google Passwords or Apple Passwords). They have import and export (except for passkeys), but it'd be nice if they had an incremental version to help you get out of this mess if you weren't disciplined in switching over all at once.
* Another is that when you change the site's password even while using the password manager, the actual site change and recording it in the password manager's database is hardly transactional. You can click the password manager's update pop-up even if it failed, or not notice it even if it succeeded. Again not really sure how they would address this unilaterally.
> I just hit one. Creating a new document in 1Password, the name of the document isn't preselected, so I have to hit delete to name it. Lots of little tiny shit like that.
Yeah, that's 100% on them.
I remember another stupid annoyance. There was one site where passwords were limited to eight characters but the way they password manager entered the passwords. It passed more than the characters along as the password so the password would fail if it auto filled, but if I copy and pasted or typed it manually it would work because the JavaScript had a chance to truncate. The fact that this site was limited to eight character passwords all other conversation, but that was super annoying until I figured it out.
Anyway. I have a love/hate relationship with my password manager.
It's true that sometimes very small/simple issues that affect some portiion of people can go for a long time. I'd like to find a better way of identifying these and getting to them quicker than just crawling through HN posts. If you have any thoughts or at least issues you'd like us to look into, always open to hear more.
I'd love to look into the Quick Access placement. It is supposed to appear on all spaces and sets an NSWindow property to do so. Is there anything particular that you think triggers it (multi-monitor, full screen apps, etc)?
Thanks! I haven't seen it in a while, so maybe it's been fixed by either a 1Password or macOS update or is specific to a setting I since changed. But I'll keep my eyes out for if it happens again. I do have a multi-monitor setup.
I do see right now that if I'm on a full-screen app, 1Password's quick access window doesn't show up; if I move to the next space over I see it for a moment and then it disappears. In contrast, Spotlight search will actually pop up directly over my full-screen app, though knowing Apple they could be using some private API for this behavior.
Switching takes time and energy.
Changing all your passwords after you switch so they aren't potentially exposed in the next LastPass break takes time and energy.
People have a lot of things going on and have to make a decision about whether the risk justifies the effort.
Then there's feature gaps. LastPass is available on all platforms, has convenient sharing, a good story for emergency recovery if I'm incapacitated and want family to get access to things, and support for 2FA options such as Yubikey. Most competitors lack at least some of those, which is an issue if you're relying on them.
Personally, I left Lastpass for 1Password several breaches ago, but it took me a couple weeks of research to decide where to move to, at least a week of changing passwords on sites afterwards, and however much time and energy it took me to help others who I share credentials with switch at the same time.
Their biggest security hole is probably somewhere in the operational pipeline between 1P browser client developers and the static file servers hosting them.
I've more or less switched to apple keychain/passwords at this point. I need a solution for linux, and have been thinking about some kind of simple 1-way sync issue that dumps stuff from keychain into some other tool for use on linux.
In terms of TOTP I just use googleauth and oathtool.
It won't ask me for my secret key, which I have an can provide immediately, no, it won't allow me to authenticate myself with the phone, because our enterprise vault logs off quickly, I must however do a some absurdly obscure dance because FY, that's why.
I was a paying customer for 15 years and migrated away with the last price increases due to "AI-powered functionalities" and the new features making the product worse on top of already being salty over when they stopped the one-time licenses in favor of subscription.
Right, but LastPass is a company that wants to make you believe that you can trust them with some of your most important assets.
--
Probably related to this:
https://www.bleepingcomputer.com/news/security/lastpass-conf...
“On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems,” LastPass says.
"We immediately launched an investigation and learned that, as part of this incident, an unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass.”
“The threat actor then used these credentials to access LastPass customer data within our Salesforce environment.”
And then they force us to install cloudstrike, antiviruses and client side monitoring because "us are the security problem".
Also, their marketing systems are also a mess. I've unsubscribed from their marketing emails multiple times, but to date I'm still getting marketing emails from them even though I'm no longer a customer. Even contacting their support about this issue hasn't helped.
In the US you can report it to FTC for CAN-SPAM violations, but don't hold your breath on any enforcement.
Lastpass is owned by PE. Why? Because Francisco Partners and Elliott Management bought a cashflow that is sticky. Its why most software companies were acquired by PE prior to the Cambrian explosion of generative AI.
If this bank were my client, I would make sure that the decision-makers were aware.
Just like a previous employer I had, on background checks. "We need to run one. We don't care what you did or didn't do, if you're doing good work for us. But some of our customers require that we have performed them."
Companies deal with leaked secrets a lot. A company already using a password manager is ahead of the game.
Suppose they move to a competitor. That's a migration and training that someone has to drive. What do they gain? Another company that can also have exploits? Or they self-host, and now have to fund that, and still potentially get exploits?
Ultimately, this likely isn't that big of a deal for a company.
And they have to weigh it up against all the other things that they can be doing.
Those companies do not have the same number and severity of security incidents. lastpass is truly in a category of its own
but there is a non-trivial switching cost to migrate several people (with varying technical aptitudes) that each use several platforms.
if 1password had a one-click migration flow they'd be able to win over a lot of converts.
https://support.1password.com/import-lastpass/?mac
OK their Mac UX is great, but given their rate of incidents how can you trust it?
Clearly this stuff is not actually bought based on track record.
Having your own auth workflow was instant fail with the well architected framework committee. Using Okta was instant pass.
I don't necessarily disagree with that policy but given that Okta was breached several times while I was working there, it was interesting the extent to which our CSO had blinders about it.
e.g. when Crowdstrike takes down Windows across the worlds or AWS east coast falls over everybody hurts. At that point the story is easy, you point at the broken thing, mumble something about improving resilience, and everyone just moves on.
Roll your own system and have it taken down / breached specifically? There's noone to point at. It's hard to make the narrative anything except it being your fault.
“Yeah, but they fixed that!”
Normies don’t pull the historical list of breaches and vulns.
They just read headlines.
I’m not saying I recommend LastPass for that reason, but I wouldn’t write them off for that reason.
I’m not saying you’re wrong, I’m saying you can’t tell from this incident.
Setting up KeePassXC is trivial.