LastPass hacker accessed backup of customer vault data including unencrypted website URLs and *encrypted*website usernames and passwords, secure notes, and form-filled data.
Thank goodness LastPass doesn’t know its users’ master passwords.
I’m sure LastPass wanted to be as transparent as possible about this, and get the news out quickly to users.
It’s just unfortunate some might not see it due to proximity to Christmas.
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
@gcluley
It's such a damn shame. I used LastPass from its early beginnings after hearing about it on Steve Gibson's show. I recommended it to everybody in both personal and professional capacities (former SysAdmin). Set our office up with it and showed everybody how to use it. It was easy to use, cross-platform, and the owners were open about everything they did.
When Logmein bought it in 2015, I was a little concerned, but had seen assurances that the original team would continue to run things. So I kept on with it, as updates and improvements continued if a little less frequently.
And THEN, end of 2019, Logmein sold itself to an investment firm whose apparent purpose was to milk it a long as possible without actually doing anything other than raking in cash. Development ceased. That's when I started scrambling to find something else, because the writing was on the wall. I did find something I like, but it's not as feature-rich.
I'm a little sad about the whole thing because there are probably many people out there who won't be aware of this news and continue merrily along with it, some of whom are my fault. I retired at the end of 2019 and that employer closed operations, so at least I had a chance to handle the company's last moments with LP gracefully.
Anytime you see a running business sold off to an investment firm like that, it's over and time to go.
@garethwilliams @gcluley
BitWarden is what I finally settled on after trying several out. I was able to import without much trouble, though I did have to scan through the list to catch a couple of garbled things here and there, like truncated IP addresses. Was just as well, gave me a chance to whack all the useless stuff that had accumulated over the years. 😀 All I really miss is the credit card autofill, though my browser handles that well enough to not present a real problem. BitWarden feels a little clunky sometimes because it doesn't always recognize subdomain variations, but just knowing to look for that usually fixes whatever the trouble was.
Yeah, the "we can't see it" approach turns out to have been the right way! I share your admiration for that.
@AndyLowry @gcluley I feel the same way. I've been a premium user for longer than I can remember, and I always thought it was definitely something worth supporting. Like you, I was hesitant over the LogMeIn buyout, but continued supporting them.
However, I'm now contemplating switching because, as you say, it feels like things have deteriorated recently. Currently trying out Bit Warden, although I've run into an issue importing my exported LastPass data that will need looking into post-Xmas.
I'm extremely grateful today, however, that the original LastPass team took the sensible decision to never know or store users' master passwords. It makes transitioning to a new vendor less stressful as I can do it at my own pace.