Is there an intellectually honest response to the notion that products like this, at one level, centralize rather than decentralize vitally sensitive information and therefore (1) increase the vulnerability of the customer and (2) paint a big red X on the target, thus incentivizing a higher investment of resources and time for hackers to compromise the product? I want to read that, and I want not to read some snarky idiom-of-non-argument response to that point.
The basic background is that it's impossible to genuinely create and remember unique passwords for every authentication you need, you will need to have patterns or reuses, or keep them "written down" somewhere. AND THEN, it is inevitable that some of those services will have breaches and poor practices, some of your passwords will be exposed.
So the threat model of a "normal user" is that one of their reused passwords will be breached and released, and these services prevent that.
If you are in the situation of being specifically targeted because of a system you have access to, you have an entirely different threat model and should consider the tradeoffs in light of that.
The centralization can't really be avoided and is also somewhat a separate issue. You can weigh the benefits and risks of doing it yourself, keeping it in a physical book or stack of postits, paying one of these companies etc but it has to happen if you're truly using unique passphrases and none of these is free from risk, either of discovery or unrecoverable loss.
One could argue it is _theoretically possible_ that in expectation, occasional massive breaches of hugely centralized services will actually be less damaging than much more frequent but smaller scale breaches of decentralized secrets on account of the returns to better, compounding, mutually reinforcing security practices benefiting all stakeholders simultaneously
It is intellectually similar to the argument that "the cloud providers might have downtime, but they're probably going to have less than your private DC due to the economies of scale and returns on investment in reliability"
This has always been my take as well. I understand the appeal of not having to remember multiple passwords, but damn it feels like you're creating a far bigger problem.
> The initial investigation found no evidence of threat actors accessing customer data or password vaults, meaning no action from end users was required.
I think the key word here is "initial" - they have no evidence thus far that user data was compromised, but that doesn't mean it wasn't, or even that evidence doesn't exist - right?
I get wanting to make a statement promptly and reassure customers but I'm not sure how valuable this is for users of LastPass. Should they just assume everything is fine until the company discovers it's not?
> but that doesn't mean it wasn't, or even that evidence doesn't exist - right?
That is how it works. You can't prove a negative, so the data is not compromised until the investigation shows that it is.
The developer's credentials was compromised, but those credentials don't give access to the production databases where customer data is stored, then there is a good reason to assume no customer data was breached. Of course you still do due diligence and investigate anyway, just to be 110% sure.
My recollection says twice. However, the number of times a company tells the media it has had a breach does not correspond to the number of times data has been exfiltrated.
Notifying customers of a breach is a much more ethical approach than sitting on the information. In some countries it is even mandetory to report breaches to affected users, which I personally think is better than not doing it.
I interpret "hacked" as "compromised". Suspicious activity and vulnerability reports don't meet that criteria. In that case, only 2015 and 2022 would qualify.
The activity in 2011 was never confirmed to be a breach. It was a overcautious response on LastPass's part after seeing an outlier in the logs. The investigating party gave a report saying they couldn't find anything, and the CEO later gave a statement saying they overreacted to an outliter out of an abundance of caution.
You don't wanna get hacked but basically everyone gets hacked, so it's more of a question of "how well does your security and monitoring stand up to hacking?"
The big red flag here is that they didn't catch it for so long! How did they not notice?
In the short- term, definitely. An argument that I’ve heard before is that in the long-term, companies like LastPass will gain improved security through fixing the holes that are breached.
“What doesnt kill you makes you stronger”, so to speak.
I’m thinking that something like unrestricted dev access for four days would be more like a death blow, though. I suppose that depends on how much source code was exfiltrated and how many backdoors got planted in systems, etc.
would be cool to have 2 password managers that each store 1/2 of all passwords. Then you login to the 2 password managers and a client-side plugin does the concatenation.
The chances of LastPass and a competitor getting hacked is very low.
Password manager is insanely convenient, but its all your eggs in one basket
