RU version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
52% Positive
Analyzed from 2314 words in the discussion.
Trending Topics
#data#lastpass#security#password#passwords#more#com#company#companies#https
Discussion (64 Comments)Read Original on HackerNews
With something like LastPass it's also much easier to create unique strong passwords for other sites.
Also, let's be real:
> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already. This has nothing to do with the security of your passwords stored in LP. They have some CRM, some person from their 800 employees clicked a sketchy link and it leaked that. It's not good, but its hardly an indictment of their product or usefulness
If you want to be a security vendor reseller, just make sure to sell to orgs that have a compliance requirement, either by law or similar.
Do you sell firewalls? sell them to banks or something. Anti-malware endpoints? Insurances too. SIEMs? payment gateways for their PCI DSS environments.
Price it just below what would be the fine for not complying, that way you maximize the invoice.
I stopped playing the security vendor reseller game because it got too boring this way to make money.
The way to stop this is to have actual consequences for the decision makers here. You can build high-integrity software and some fields (avionics) have done it. But the organization needs to be built from the ground up to do it and nobody's going to do it if you can just get breached and offer a phony apology over and over again.
Crowdstrike had a famous incident and is still probably #2 in the cybersecurity world. Sometimes assessing risk is a funny business.
I’m not saying I recommend LastPass for that reason, but I wouldn’t write them off for that reason.
OK their Mac UX is great, but given their rate of incidents how can you trust it?
Clearly this stuff is not actually bought based on track record.
Having your own auth workflow was instant fail with the well architected framework committee. Using Okta was instant pass.
I don't necessarily disagree with that policy but given that Okta was breached several times while I was working there, it was interesting the extent to which our CSO had blinders about it.
Companies deal with leaked secrets a lot. A company already using a password manager is ahead of the game.
Suppose they move to a competitor. That's a migration and training that someone has to drive. What do they gain? Another company that can also have exploits? Or they self-host, and now have to fund that, and still potentially get exploits?
Ultimately, this likely isn't that big of a deal for a company.
And they have to weigh it up against all the other things that they can be doing.
Those companies do not have the same number and severity of security incidents. lastpass is truly in a category of its own
“Yeah, but they fixed that!”
Normies don’t pull the historical list of breaches and vulns.
They just read headlines.
>"Klue has not said how many of its hundreds of customers are affected. Several companies have come forward to confirm they had data stolen during the attack, including Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium."
>Cybercrime group Icarus took credit for the breach, saying on its leak site that it will publish the stolen data on Monday if the company does not pay the hackers’ ransom."
https://techcrunch.com/2026/06/22/klue-hack-results-in-data-...
but for the past couple years I've just generated and forgotten 90% of my passwords. the final 10% I keep in a password manager. But if the service isn't really that important I just use the 'forgot my password' to change and generate a new password every time I need to login
> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
i can sympathize a little bit with companies that stick with lastpass. when i had to switch an org from lastpass to 1password, it was a massive undertaking and incredibly annoying. however, i have no sympathy for anyone who has chosen lastpass after 2022.
[0] https://keepassxc.org/
For syncing, I do it manually with rsync. Given the database is 1 file it's easy to move around. You can rsync / scp it over, use a USB cable, use cloud storage, etc..
I use a password manager in a "read many, write infrequently" way so I don't mind occasionally syncing it as needed.
There are a few decent Android and iOS apps that work well. I use Nextcloud and WebDAV for access.
Not a setup I can recommend to just anybody though.
Well, I hope Klue got them more customers than they are losing due to this.
1- Tradeoff individual account risk, for systemic risk. You may argue password managers are safe, but few would argue that the risk model reduces the risk of individual password leaks more than the risk of all your passwords leaking. It's a tradeoff.
2- Cat and mouse security: There's a class of security decisions that work because they are new and different. First the weakness was that passwords were short, then you make passwords long but unmemorable, so people rely on some other mechanisms to authenticate, like a file on their computer, a drive, a fingerprint, facial recog, which may in turn be protected by a second factor password.
At first the new security model will not be stressed, but as more users migrate from one security model to the next one, that's when you are able to compare the security of both technologies, it starts being a juicy enough target that it becomes attacked.
So we are at the point where password managers are used enough that they start becoming worthwhile targets of attack (to overcome the difficulty of vulnerating them).
Also worth noting that these attacks are more winner-takes-all. In the sense that rather than seeing one account hacked every couple of hours, you will see them all hacked at once, because you introduced a vendor in the password supply chain AND because the vendor centralizes all of the passwords. So target that one vendor and from a single attack you get all the spoils. So when comparing the security of the olden method and the new, just 1 incident is enough to undo all of the reputational gains it has made over the years.
I do think there are some cases where an online password manager makes sense, e.g. for businesses, but for individuals it's better to just stick with an offline password manager, at least for the high value accounts.
But if even that is too much then f.ex. `keepass` + a scheduled script to periodically backup to your own servers is also perfectly viable.
Wait. That's a thing? Like, there are drooling, mouth-breathing stooges out there that would trust not just one of their passwords to such a thing, but all their passwords to it?
I don't think password managers which store encrypted vaults are less safe than trying to have and juggle strong unique-per-domain passwords, even if you think that the password manager is becoming a target.
https://news.ycombinator.com/item?id=48647272
Third time's the charm
The specific dependency that gets companies infected, and the optics that result, are so important. There have been sillier examples, but you can see how in this case, the priority of sales and profits has resulted in the sacrifice of the main quality measure of their main and only product.
What do you mean exactly here What do you think LastPass could have done to prevent this specific issue?
customer names, phone numbers, email addresses, physical addresses, support case data, sales-related data.
https://bitwarden.com/help/
But LastPass does (Salesforce CNAME):
https://support.lastpass.com/s/?language=en_US
So this couldn't have happened to bitwarden, you own the reputation loss if any of your suppliers get owned. Though it really doesn't matter anymore for LastPass they leaked their customers vaults before, I have no idea how they can still be in business.
To be fair, and I don’t want to, supposedly the only thing that was compromised was contact info. No vaults were exfiltrated or unlocked (as far as the article info goes).
So this is really just another very boring info breach, not a targeted password-stealing hack.
The other breaches they suffered were worse.