I updated yesterday’s blog post on LastPass to indicate that some users got an email about their catastrophic breach. But I did not. I got one email in August when this first broke and that was it. And yes, I checked spam and trash. Nothing since August.
The email that reached some but not all users made no mention of their vaults being in the hands of the threat actor. They expected users to click through to their blog post and read a few paragraphs in to get the bad news.
So ultimately the only people notified were those paying attention. Their crisis PR team is running the show now, not good. LastPass’ corporate interest will now be the priority vs their customers’ security.
Each customer’s risk level depends on their password length and complexity. Lastpass is passing the buck by essentially telling customers it’s their fault if their stolen vault is compromised. Not a good look from a company whose one job was to protect password data and didn’t do it.
I wonder if work from home led to this breach. It sounds like the threat actor’s code possession was enough to convince the social engineering target to turn over the keys to the kingdom. Clearly LastPass lacked human to human authentication protocols and learned nothing from their prior breaches.
I have deleted my Lastpass account and switched to Bitwarden for now. Ultimately all of these services are a juicy target for hackers given the value of the stored data. So next I’ll be experimenting with ways I can create something under my direct control.