Password manager

[britechguy]

My speculation is as good as yours

Indeed. And lets face it, most of what's been published about this breach has been in the realm of speculation.

I'm not saying that anyone should stay or go, but I have never seen, in any case of a major breach, a degree of transparency that allows for a truly informed decision. And some of that's by intent. There still remains a place for keeping certain things out of sight because others could try to follow the same trail.

It's always a mess, and there's never a clear answer. But there is virtually always a crowd with pitchforks and torches willing to hold opinions based mostly on speculation. It's murky, very murky, plain and simple.

Accidents will happen, and certain ones are forgivable, and others are not.

 

[YeOldeStonecat]

Yes, we know information from the original breach was used but so far it's not public knowledge what this data was and to what extent it assisted.

What might be public knowledge isn't really what matters. What LastPass knew (post first breach0....and did not take action on (for those 3 months following...until the 2nd breach slapped them in the face for sitting on their arse the whole time)...is what mattered.

No witch hunt from me, I have no skin in their game, did not use them, did not resell them. From what I recall (it can be Googled...I'm just quickly losing interest in giving a hoot about last pass)....they knew what the info was, it was credentials...and...some (at least 1 for sure)...was not changed. They knew.

 

[nlinecomputers]

My speculation is as good as yours

Yes but it is difficult to envision ANY scenario that doesn’t involve incredibly lax security measures. Your theory is horrifying. No password management company should allow ANY remote work except via a hardware point-to-point VPN totally isolated from any home network. US DOD clearance level security standards should be maintained. A policy and POV of always "act as if breached" should color every action done on the network.

 

[YeOldeStonecat]

And the beginnings "just how big the last pass breach" is.....just began to surface this afternoon, as a few "leaks" came out. Official statement from LP about their pants dropped to their ankles will have to follow soon....granted much of it will be sugar coated...but wow this just got huge.

 

[SAFCasper]

What might be public knowledge isn't really what matters.

How can it not matter. How can you fully judge a companies actions without knowing what those actions were? How can you say they did not take action when you don't know what action, if any, could have been taken?

I'm no being pro-LastPass here I just think they are being judged very harshly based on little supporting evidence.

Your theory is horrifying. No password management company should allow ANY remote work except via a hardware point to point VPN totally isolated from any home network. US DOD clearance level security standards should be maintained. A policy and POV of always act if breached should color every action done on the network.

It wasn't meant as a better scenario, simply an example of how another scenario is a possibility.

Full agree being allowed that level of access from a personal home computer is unacceptable. I also would have thought backup data of that sensitivity would require a request/approval workflow or multi-signature verification etc. Something that requires more than a single set of credentials.

Unfortunately it's just not enough to tip me over the edge into leaving. In large part because I believe Bitwarden, 1Password etc would be no better. We simply haven't had their horror story exposed yet.

 

[nlinecomputers]

It wasn't meant as a better scenario, simply an example of how another scenario is a possibility.

Sadly your scenario was pretty close to the actual events. See my other thread.

Unfortunately it's just not enough to tip me over the edge into leaving. In large part because I believe Bitwarden, 1Password etc would be no better. We simply haven't had their horror story exposed yet.

I was already gone but it IS enough for me to leave if I was still a client. There is a difference between being proven already incompetent and the unknown possibility of being incompetent. And such failures on LP's part allow for its competitors to directly address those shortcomings. I used to be a big defender of LP. But in the past, they responded better to breaches and seemed to have higher security than they seem to do now. It is one thing to do all things correctly and still get hacked. Quite another to deliberately let your guard down. (cutbacks)

 

[britechguy]

(cutbacks)

Then we are in for trouble, big, big trouble, across the industry in the very near future. I just made mention elsewhere that this is the first time many in the tech industry have experienced mass reductions in force after a very extended period without same. Those reductions are nowhere near to only being "the extras we brought on board during Covid."

But the belief that you can slash workforce with no repercussions runs deep in U.S. management as is the idea that all bodies "with the correct credentials" are cog-like equivalents. The very concepts of both institutional memory (knowing what we did right, and wrong, before and what that means moving forward) and seasoning hold no sway. There's a reason I thought, "Lather, rinse, repeat," when this latest wave of RIFs started.