I'm pretty disappointed with how this has been handled. Mainly in two ways:
- The scale of the breach (leaking of PII and encrypted vaults, that URLs are not encrypted) has only come almost 4 months after the initial investigation. When was such a breach suspected in the first place? I would expect extremely timely reponses for this stuff.
- They suggest no recommended actions? Surely rotating credentials should be advised? Feels like they are putting business before security.
It's not just the leak that makes me lose complete faith in Lastpass. It's how they've handled the leak.
> It's not just the leak that makes me lose complete faith in Lastpass. It's how they've handled the leak.
Absolutely. I'm switching to 1Password, and though the critics are correct that it isn't a great solution (being practically the same solution), at least they haven't stabbed me in the back or weasel worded me...yet. I was a premium subscriber for the 2FA, for all the good that did me.
I'm no cryptoanalyst, but it seems to me that 1password's addition of the Secret Key, and encrypting all vault data, put them in a much better position than LastPass was.
- The scale of the breach (leaking of PII and encrypted vaults, that URLs are not encrypted) has only come almost 4 months after the initial investigation. When was such a breach suspected in the first place? I would expect extremely timely reponses for this stuff.
- They suggest no recommended actions? Surely rotating credentials should be advised? Feels like they are putting business before security.
It's not just the leak that makes me lose complete faith in Lastpass. It's how they've handled the leak.