A product we have recommended to our clients for over ten years has experienced a major slip up recently, and compounded their security missteps with a ham handed attempt to cover up what they had done to their user’s security. The response to the security breach is what is the cause of this change in recommendation. If you were impacted by the Lastpass breach because we recommended it, we apologize for your inconvenience. We experienced it first hand and changed hundreds of passwords (just in case).
Some of it isn’t *entirely* their fault. Their employee had their home broken into, I feel bad for them on a personal level, and I understand that these things happen. The employee may or may not have been targeted for the vault. Having a server breached and password vaults taken, that’s a bit worse, especially for a security company it shows a lack of expertise and ignoring threats. Not disclosing that this happened was surprising to say the least. Normally there are emails from Lastpass warning about minor security issues, but I don’t recall seeing an email from them warning me that this happened.
Security Minus Trust
Security Companies and products should feel a greater sense of accountability to the public. We have taken issue in the past with antivirus and VPN companies have sold their users data to marketing companies, and we feel that Lastpass You can look at Wordfence’s recent example of making threat data public to see a good example of community. LastPass allegedly tried to hide their company updates about the breached password vaults with noindex tags.
You can’t keep bad news out of Google with a noindex tag. Other outlets covered the story and made it even more outrageous. A recent corporate ownership takeover was brought up a lot, ownership has changed hands again, but improvements within Lastpass were few and far between before that. After switch to 1password Lastpass just started to look really old and clunky. 1Password has been worth it so far, and a password manager is a real necessity until passwords are a thing of the past.
What Now?
We take our recommendations seriously, and we want to be diligent about cybersecurity. Security requires trust and vigilance. You don’t get to take days off and you can’t get caught misrepresenting the facts of the matter. We apologize for any inconvenience and hope your accounts are all still secure. Export your passwords to 1password this week if you haven’t already.
