How does anyone seriously trust LastPass anymore? Years ago, I was working for a company handling bank data. They were using LP immediately following a previous LP security incident and had no plans to migrate away.
zulban 4 hours ago [-]
A lot of people and orgs don't use security products for security. They use them for security theater. A vast majority of people, even many security people, will never hear about this breach. So LastPass still works great for them.
bko 3 hours ago [-]
I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.
With something like LastPass it's also much easier to create unique strong passwords for other sites.
Also, let's be real:
> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already. This has nothing to do with the security of your passwords stored in LP. They have some CRM, some person from their 800 employees clicked a sketchy link and it leaked that. It's not good, but its hardly an indictment of their product or usefulness
thesuitonym 46 minutes ago [-]
> I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.
> With something like LastPass it's also much easier to create unique strong passwords for other sites.
Sure, but LastPass, in addition to being the least secure option, doesn't even have a good user interface, and it's expensive. There are dozens of other password managers out there, each one better than LastPass in every way.
Arainach 26 minutes ago [-]
Doing the research takes time and energy.
Switching takes time and energy.
Changing all your passwords after you switch so they aren't potentially exposed in the next LastPass break takes time and energy.
People have a lot of things going on and have to make a decision about whether the risk justifies the effort.
Then there's feature gaps. LastPass is available on all platforms, has convenient sharing, a good story for emergency recovery if I'm incapacitated and want family to get access to things, and support for 2FA options such as Yubikey. Most competitors lack at least some of those, which is an issue if you're relying on them.
Personally, I left Lastpass for 1Password several breaches ago, but it took me a couple weeks of research to decide where to move to, at least a week of changing passwords on sites afterwards, and however much time and energy it took me to help others who I share credentials with switch at the same time.
fragmede 40 minutes ago [-]
Password managers are entirely a UX problem waiting to be solved better. Every time I hit a UX bug with my password manager, I mutter that I could do fix that, and then know that mine would also be worse in so many ways just to reach parity. What I wish is there was a public bug tracker of UX issues/optimizations that I, and the rest of the world, could log ideas to. Password managers are such a good idea but they all need just that much more work to be seamless.
qwertox 26 minutes ago [-]
> I'm pretty sure 99% of the people on exposed have already had their
Right, but LastPass is a company that wants to make you believe that you can trust them with some of your most important assets.
“On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems,” LastPass says.
"We immediately launched an investigation and learned that, as part of this incident, an unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass.”
“The threat actor then used these credentials to access LastPass customer data within our Salesforce environment.”
TimTheTinker 44 minutes ago [-]
1Password checks all these boxes and hasn't yet had a data breach.
Their biggest security hole is probably somewhere in the operational pipeline between 1P browser client developers and the static file servers hosting them.
antiframe 2 hours ago [-]
> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already. This has nothing to do with the security of your passwords stored in LP. They have some CRM, some person from their 800 employees clicked a sketchy link and it leaked that. It's not good, but its hardly an indictment of their product or usefulness
Would you be okay will a public database of all people's names, emails, addresses, phone numbers, and other contact details? After all, most people's data have already been leaked somewhere. Credit reporting agencies have leaked more sensitive data. I, for one, still expect companies to keep my private data private. Especially companies who's started purpose is to keep my secrets secret. It's a bad look for them and if I trusted them this would make me lose my trust in them. But, they already lost my trust two or three (I lost count) breeches ago.
vitally3643 2 hours ago [-]
Of course it's not okay. But this is pissing in the ocean. This is throwing buckets of water on the Titanic.
The damage is already done. Your private information was already leaked long ago. You can't make a sunk boat more wet.
antiframe 1 hours ago [-]
I agree the ship has sailed but I have no desire to make it easier for people to spam me or social engineer any of my accounts. If they want to send some crypto to some stangers on the internet to do it, I can't stop that, but I am not going to hand the info to them on a silver platter.
stingraycharles 2 hours ago [-]
Where I’m from there actually were guides like this of the whole country, published once a year, I think even into the early 2000s. They stopped doing it for cost savings, but this type of information being public is considered fairly normal by many, as long as you have the ability to unsubscribe.
briffle 2 hours ago [-]
Only if we also add Social Security numbers, since it was supposed to be a unique Identitifier (like an email) and not a secret.
philote 2 hours ago [-]
Yes, a public database like this would be acceptable. That way the info isn't paywalled behind some white pages site or similar. And then maybe I could even update my own info to be correct. Contact info is pretty much out there for most people already. Hell, I put it on my resume and send that out to many people and put it on public sites.
antiframe 1 hours ago [-]
I am glad you want the world to know your phone number, but not everyone does.
Since we still use SMS as second factors (or primary, as some in this thread said they don't write down passwords but just use password reset links to login), it's not the best security hygiene
brendoelfrendo 2 hours ago [-]
> I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.
Yeah but wanting a product like LastPass doesn't require that you use LastPass. There are many good alternatives.
bko 51 minutes ago [-]
What's the solution? Don't have a CRM and store stuff about customers under lock and key? Don't give access to the CRM to any employees? More security training about clicking shady links?
I don't get how you think some other competitor would be better suited against this threat. The right solution is to mitigate the damage. CRM has minimum available stuff, like names, addresses, etc. Don't keep stuff like payment information, passwords, etc in that place as that's the vulnerable system. It seems like that's what LP does and probably every other company in this space does.
Again, it's entirely reasonable to have an off the shelf CRM, pretty broad access to it. You try to prevent phishing email or phone scams (assuming this is what it was) but you have 800 employees, its bound to happen.
iamacyborg 29 minutes ago [-]
> What's the solution?
Use any of the other password managers that don't have the poor security history that LP do.
basilikum 1 hours ago [-]
> I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.
What you are describing is a password manager. No one here is questioning why people would use a password manager. That's like asking why people would use a toothbrush. The question is why anyone would use LastPass as their password manager.
> Also, let's be real:
> > The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already.
I'm sorry to put it so bluntly, but this comment strikes me as really baffling.
LastPass has a very long history of breaches, some of them very severe with a big fallout. It's at the point where the yearly LastPass breach has become a meme just like the yearly T-Mobile breach. It makes no sense whatsoever to look at this incidence without that context and to claim "it's not that bad, they only leaked xyz".
On another note, of course does a breach tell something about the security practices of a password manager company. You really want the developer of your password manager to have good security practices and any sign to the contrary is concerning even when it is not directly related to the core product. Of course security is not about absolutes and mistakes and incidents do happen – what counts is how, how is dealt with them and if they repeat. In the case of LastPass history, including this breach, shows that they have atrocious security and you do not want to let your credentials get any millimeter closer to them than you can possibly avoid.
> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already.
Again, I'm sorry for being so direct, but this argument annoys me greatly: This argument – that others have done similar bad already and similar harm has already been done – is beyond stupid and needs to die. It's why slippery slopes are real. It's the reason why normalization of bad things happen. It's what people with bad intentions continuously use with great success to slowly make their bad deeds socially acceptable.
When my neighbor dumps his trash on the street that does not allow me to do the same and does not make it any better if I do. I will be just as much in the wrong as him. The only difference being – when I use that excuse – that I will also be a coward.
The wrongdoing of others is never an apology to do the same; and just because something bad is normal does not make it any better and it is especially not an argument for making it even worse.
ivanmontillam 4 hours ago [-]
This.
If you want to be a security vendor reseller, just make sure to sell to orgs that have a compliance requirement, either by law or similar.
Do you sell firewalls? sell them to banks or something. Anti-malware endpoints? Insurances too. SIEMs? payment gateways for their PCI DSS environments.
Price it just below what would be the fine for not complying, that way you maximize the invoice.
I stopped playing the security vendor reseller game because it got too boring this way to make money.
niyikiza 15 minutes ago [-]
Because procurement is hard. Changing vendors is a big undertaking for big companies. They are certainly not going to be switching vendors every time there is an incident
stymaar 4 hours ago [-]
And it will continue until we can sue company being breached for criminal negligence. Should a single company executive be personally liable in these situations, the scale of the problem would be orders of magnitude less severe because they would spend the appropriate amount of effort to cover their damn ass.
jordanb 3 hours ago [-]
This is it. These companies don't really care about their customer's data. Their SDLC is no more rigorous than any other SaaS product. They have junior people and (now) AI pushing code with a quick "LGTM" PR check just like everyone else.
The way to stop this is to have actual consequences for the decision makers here. You can build high-integrity software and some fields (avionics) have done it. But the organization needs to be built from the ground up to do it and nobody's going to do it if you can just get breached and offer a phony apology over and over again.
Forgeties79 3 hours ago [-]
“Here’s a year of credit monitoring. Be grateful.”
TimXare 3 hours ago [-]
At some companies, "approved security vendor" just means the breach comes with procurement paperwork.
jasonge0_0 2 hours ago [-]
Also use them as a password manager like an advanced version of Excel that fills in the passwords for you. Security isn't part of it. I have the feeling LastPass agrees.
close04 4 hours ago [-]
Moving to another solution involves some expense and operational risk (changing procedures, increased human error rates, locking yourself out). Even though the risk of staying with the existing solution goes from "unlikely" to "possible" (so maybe from yellow/amber to red), a lot of companies rationalize it as "but now the provider will be extra careful so the likelihood is actually lower".
Crowdstrike had a famous incident and is still probably #2 in the cybersecurity world. Sometimes assessing risk is a funny business.
fpoling 43 minutes ago [-]
I worked for a big company that switched from 1password to Keeper. The transition was smooth and I do not see why it shouldn’t be as long as IT knows what they are doing.
seb1204 3 hours ago [-]
True, but how come such risks are addressable when adding AI or opening up to yet another API or when some savings are promised with a new product/product feature?
close04 3 hours ago [-]
> when adding AI ... or when some savings are promised
Because savings are promised. And who could say no to AI? (/s)
There's always some risk mitigation possible but it's costly or inconvenient. Companies pretend the risk is lower so they can do whatever they wanted to do but now with less accountability. The risk matrix says so.
But sometimes the tradeoff is genuinely not worth it. The bottom line is that each company has to do it's own calculations and decide whether moving is overall a better choice. Which risk is higher, that your provider is breached again or that you have new operational issues with the new solution. Which costs more, a chance of another security issue, or the guaranteed expense of replacing the solution? You do the same math at home all the time. Your washing machine leaked once, do you replace everything or just patch the hole?
toomuchtodo 2 hours ago [-]
It is inertia. Customers are sticky, they do not switch unless they have to. If you're an enterprise, you have to go through establishing a new vendor relationship, onboarding a new password vault with your IT team, communicate it across the org, migrate data from the old password vault to the new password vault, etc. There is a real cost in time and resources to do this, and so, many avoid it until they have no other choice.
Lastpass is owned by PE. Why? Because Francisco Partners and Elliott Management bought a cashflow that is sticky. Its why most software companies were acquired by PE prior to the Cambrian explosion of generative AI.
dwoosley 3 hours ago [-]
I’ve done a lot of security consulting work for hundreds of companies and one thing I noticed is that the companies that actually took security seriously were the ones that had been breached in the past. Until the execs and board see the dollar impact themself and not just read about it, the security program never gets the funds it needs.
I’m not saying I recommend LastPass for that reason, but I wouldn’t write them off for that reason.
gonzalohm 3 hours ago [-]
But LastPass has been breached multiple times by now. I don't think they really care
dwoosley 3 hours ago [-]
There are lots of types of a “breach”. The first and second (the major ones) were likely related so more like one continuous incident. This one was a vendor breach that had access to their data so not a reflection of their security program as much as the first.
I’m not saying you’re wrong, I’m saying you can’t tell from this incident.
sys_64738 2 hours ago [-]
What happened to the old days of only getting one chance to f-up? Once chance and they should be gone permanently.
hosteur 3 hours ago [-]
How does anyone trust ANY third party with all their passwords and encryption keys is beyond me.
Setting up KeePassXC is trivial.
commandersaki 13 minutes ago [-]
E2EE done properly is why. See 1Password security whitepaper for how.
mook 35 minutes ago [-]
I use KeepassXC, but I have no need to share passwords with other people. In a corporate situation that would probably not work as well.
kirici 2 hours ago [-]
Passbolt and Bitwarden can be self-hosted on top of offering the usuals pros like MFA, an API incl. integrations (e.g. https://external-secrets.io/latest/provider/passbolt/) and a better UX that does not involve syncing files between team members
xtracto 3 hours ago [-]
This. KeePassXC plus Google Drive client is all you need.
pluc 2 hours ago [-]
People still use Windows
fidotron 4 hours ago [-]
The one that amazes me is Okta.
OK their Mac UX is great, but given their rate of incidents how can you trust it?
Clearly this stuff is not actually bought based on track record.
jordanb 3 hours ago [-]
Funny I used to work in an org with Okta.
Having your own auth workflow was instant fail with the well architected framework committee. Using Okta was instant pass.
I don't necessarily disagree with that policy but given that Okta was breached several times while I was working there, it was interesting the extent to which our CSO had blinders about it.
eddieroger 2 hours ago [-]
Liability is the answer! If you build an auth system and it fails, it's your backside. If Okta fails, it's theirs. Enterprises buy products as much as they buy protection from problems.
PunchyHamster 2 hours ago [-]
They don't offer any meaningful reimbursement if they lose your data so what does that matter ?
dust-jacket 1 hours ago [-]
Some of its about sharing the pain.
e.g. when Crowdstrike takes down Windows across the worlds or AWS east coast falls over everybody hurts. At that point the story is easy, you point at the broken thing, mumble something about improving resilience, and everyone just moves on.
Roll your own system and have it taken down / breached specifically? There's noone to point at. It's hard to make the narrative anything except it being your fault.
simonra 59 minutes ago [-]
You have (the perception of having) someone to forward the claim to once you're hit by one where the damages are quantified in money like a life insurance or disability payout caused by the data loss?
lowdude 3 hours ago [-]
As someone that is not really in the game, does Okta have such a bad track record, and are there alternatives that are considered solid? From the outside, it seemed like EntraID is a bit of a burning dumpster fire, while Okta seemed expensive, but usable and decent (from comments I read)
mrhottakes 3 hours ago [-]
The current default for lazy enterprise customers seems to be an unholy tangle of Active Directory, Entra, and Okta. If you use all three it's 3x more secure, right?
Avicebron 3 hours ago [-]
Okta I get, Entra I sort of get. But AD is great.
burnte 1 hours ago [-]
I had one of their salesmen harassing me back in 2018 or 2019 when one of their many breeches hit. I said "this is why."
farfatched 4 hours ago [-]
What's the risk, and does that change by moving to an alternative?
Companies deal with leaked secrets a lot. A company already using a password manager is ahead of the game.
Suppose they move to a competitor. That's a migration and training that someone has to drive. What do they gain? Another company that can also have exploits? Or they self-host, and now have to fund that, and still potentially get exploits?
Ultimately, this likely isn't that big of a deal for a company.
And they have to weigh it up against all the other things that they can be doing.
Those companies do not have the same number and severity of security incidents. lastpass is truly in a category of its own
parpfish 2 hours ago [-]
i'd love to switch from my lastpass family plan to... something else.
but there is a non-trivial switching cost to migrate several people (with varying technical aptitudes) that each use several platforms.
if 1password had a one-click migration flow they'd be able to win over a lot of converts.
mhurron 52 minutes ago [-]
You pretty much export your data from lastpass and import it into 1password. The only thing it doesn't do is have 1password log into your lastpass account and pull it out itself.
vel0city 57 minutes ago [-]
File > Import > LastPass. Log into LastPass. Now you have your LastPass details in 1Password.
I remember ten years ago telling our so-called leaders that the data will get leaked from LastPass. They were all gung-ho about it being secure blah de blah. Luckily most of us don't work there anymore.
DANmode 3 hours ago [-]
> They were using LP immediately following a previous LP security incident
“Yeah, but they fixed that!”
Normies don’t pull the historical list of breaches and vulns.
They just read headlines.
khurs 4 hours ago [-]
Lots more companies affected. Some more listed below:
>"Klue has not said how many of its hundreds of customers are affected. Several companies have come forward to confirm they had data stolen during the attack, including Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium."
>Cybercrime group Icarus took credit for the breach, saying on its leak site that it will publish the stolen data on Monday if the company does not pay the hackers’ ransom."
> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
fusslo 4 hours ago [-]
I'm sure this is worse than using lastpass in some way
but for the past couple years I've just generated and forgotten 90% of my passwords. the final 10% I keep in a password manager. But if the service isn't really that important I just use the 'forgot my password' to change and generate a new password every time I need to login
stanac 4 hours ago [-]
This works if the account doesn't have 2FA. On my last side project app users can login only via email OTP. There are security downsides with that, someone can send phishing link and use OTP submitted to the fake site, but the app doesn't store anything sensitive (it's a game which tracks your progress) so I guess it's not a major security risk.
seb1204 3 hours ago [-]
I got caught out as I had no longer access to the old phone number that was now used to send 2FA text.
fusslo 3 hours ago [-]
oh dang that's not good. I've had the same phone number since 2006 so I didn't really think about it
antiframe 2 hours ago [-]
But the phone number you have is not 100% in your control. I had AT&T flub something and I lost my number and they assigned me a new one (I was chanting my plan just after they did some merging with someone). Granted its unlikely but I would still use defense in depth and not have password reset be my only login method.
vel0city 55 minutes ago [-]
This is why a lot of services have just moved to using email with magic links to log people in.
In the end for a lot of services controlling your email is defacto controlling the login.
hbn 1 hours ago [-]
I've been an Enpass user for years because I got a lifetime purchase for a good deal. They don't host the cloud services for syncing passwords. Instead you just auth your cloud storage (I use Google Drive) and it syncs to that.
This approach seems better to me. For one thing, I'd already be screwed if someone malicious got into my Google account, probably worse than if they got into my password manager. And additionally, this means they're not creating an absolute jackpot of data to breach in a centralized place. No one's gonna hack Enpass of all their passwords because that would require hacking all of Google Drive, Dropbox, iCloud, etc. and looking for the files manually.
overflowy 1 hours ago [-]
How is that different from KeyPass for example?
woadwarrior01 1 hours ago [-]
I think it's time for LastPass to rebrand themselves as First0wned.
john_strinlai 3 hours ago [-]
any company that stuck around (or began using) lastpass after vaults were leaked probably does not care about this one at all, considering its just CRM data.
i can sympathize a little bit with companies that stick with lastpass. when i had to switch an org from lastpass to 1password, it was a massive undertaking and incredibly annoying. however, i have no sympathy for anyone who has chosen lastpass after 2022.
SV_BubbleTime 2 hours ago [-]
Agreed.
The non-story here is the data is of minor criticality.
The real story is is that however minor, you expect LastPass to be better. They’re a password storage company, in order to be trusted they need to be better than this.
felooboolooomba 2 hours ago [-]
Any detailed info on why Klue had this data, apart from being their partner? How does it serve LastPass customers to give that data to Klue?
saghm 2 hours ago [-]
Alternate revenue source to keep them in business as they probably hemorrhage customers due to being maybe the least secure password manager ever? I have to wonder how they have any customers left at all at this point
gomox 22 minutes ago [-]
No, Klue is a competitive intelligence tool for sellers. You use it to keep track of "battle cards" (i.e. if they are selling a deal vs. 1Password, sales rep would go into Klue to see what the advantages of LastPass are vs that specific competitor).
It's a purpose specific knowledge base, not a data broker or any sort. But it will surely have information of who you sold to or tried to sell to because of it.
insanitybit 4 hours ago [-]
This isn't great but it's not that big of a deal either. A lot of companies got bit by the Klue breach but it's not like your vaults are being accessed.
mrhottakes 3 hours ago [-]
The vaults were accessed years ago
master-lincoln 3 hours ago [-]
The encrypted vaults, yes. Ideally they are worthless when the master password is sufficiently complex
insanitybit 2 hours ago [-]
Yes, in a separate breach.
SV_BubbleTime 2 hours ago [-]
>The vaults were accessed years ago
> Yes, in a separate breech.
Not nearly that cut and dry.
Many, not all encrypted vaults leaked out. If you lost data it was because you used a weak master password for that vault.
insanitybit 1 hours ago [-]
My point is the same - nothing about this breach implies vault access, it explicitly is related to the Klue breach, which contains some customer PII.
> If you lost data it was because you used a weak master password for that vault.
Even this is more complex (horrible pbkdf2 defaults, you're welcome for getting lastpass to increase them btw that was me) but it isn't relevant, no vaults are accessed in this breach.
giancarlostoro 2 hours ago [-]
I ditched LastPass long ago for BitWarden, though I mostly use the Passwords app from Apple now.
username135 4 hours ago [-]
I switched to keepass a decade ago (maybe) and never looked back
1a527dd5 2 hours ago [-]
I'm so glad we migrated away from LastPass (to BitWarden). It was a breach that caused us to move in the first instance.
0xAstro 1 hours ago [-]
How is the experience with BitWarden clients so far? Their chrome extension bugs out for me for the most basic tasks.
CWuestefeld 37 minutes ago [-]
I was just making the change from LP to BW yesterday, completely by coincidence. My first reaction is that the out-of-box experience is poor.
The first step was easy. The account creation and import of legacy data all went pretty well. But after that it wasn't so pretty.
The first hurdle was trying to understand their model for sharing data (so my wife and I can share important credentials). The model that LastPass uses is pretty intuitive to me: it's just a matter of sharing a folder, so relatively transparent. But Bitwarden has a whole separate concept of "organization", and the items being managed don't go in "folders" here, but in "collections". So there are two separate, and subtly different, models in play, and this is confusing. The good news is that the client aggregates the data so when you're using it day-to-day to fill login forms, you don't have to worry about the differences.
Once I'd gotten the data in place, I had to get the clients set up on the various platforms (browser extensions; desktop native, which is actually required for the browser extension's security to work right; phone). The OoB settings were entirely paranoid, and had me re-entering the complex master password over and over, really annoying me. Figuring out how to get to a reasonable balance required figuring out some settings whose labels are misleading. For example, "Unlock with PIN" sounded to me like it was going to add an extra layer of security, but it turns out that it really means "allow unlock using PIN in lieu of master password".
Also, note that while most of the settings default to paranoia-level (like the "require master password every time I inhale", that I mentioned above), you will probably want to change the default crypto cypher. It defaults to PBKDF2, but a better modern approach is the other choice, Argon2id.
...which also reminds me that there's a distinct lack of parity between client platforms. Although you need the desktop native app to manage browser extension security, there's a bunch it can't do. For example, after importing my legacy data, I needed to select all the contents of my LP shared folders and move them to the BW organization collection, but the native app (which seems to be an Electron app, btw) doesn't have a multi-select feature; you need to do that in the online web app.
chinathrow 4 hours ago [-]
Sitting here with my KeepassX and being happy, again.
shizcakes 4 hours ago [-]
For folks new to the KeePass ecosystem, it’s KeePassXC[0] now. The original KeePass is still developed as well, however KeePassXC is a cross-platform updated version.
Syncing isn't a KeePassXC problem. The database is just a file. That may or may not make your life easier.
There are a few decent Android and iOS apps that work well. I use Nextcloud and WebDAV for access.
Not a setup I can recommend to just anybody though.
shizcakes 3 hours ago [-]
One of the security advantages of KeePass being just a file is that you can sync it in the way that makes sense to you.
The need to have an opinion on how you’d like to sync a file does, as you suggest, eliminate some portion of the population who need a fully baked answer in one step.
I used to use Google Drive, but now I use Syncthing, further reducing my exposure. Paired with Synctrain and KeePassium on iOS.
One tip: enable the atomic save option in settings to reduce the risk of weird cloud sync issues.
vova_hn2 2 hours ago [-]
What would happen if the file was edited concurrently? Would any data be lost?
AyyEye 1 hours ago [-]
If you try to write to a file that has been changed, it'll ask to merge them. Not sure what the behavior is if two try to edit the same entry.
antiframe 2 hours ago [-]
And if you use an untrusted sync like Google Drive, you can enable a keyfile and never let that file lane on Google Drive.
nickjj 3 hours ago [-]
The mobile app is quite good, it works and gets out of your way. I use it on Android.
For syncing, I do it manually with rsync. Given the database is 1 file it's easy to move around. You can rsync / scp it over, use a USB cable, use cloud storage, etc..
I use a password manager in a "read many, write infrequently" way so I don't mind occasionally syncing it as needed.
cryo32 3 hours ago [-]
I use keepassxc. I don’t sync mobile. My mobile device has an only the minimum subset of passwords I need saved on it.
SV_BubbleTime 2 hours ago [-]
These threads are always filled with keepass people who will tell you how great it is and not mention that you’re on your fucking own for you know Miner things like syncing or mobile use.
I’m sure it works for many people to Dropbox their vault around anytime they want to access something and manually handle copies and sync. I’m not nearly so naive as to think that has any degree of success outside tech bubbled people.
Using a password manager has 2 main tradeoffs and mistakes:
1- Tradeoff individual account risk, for systemic risk. You may argue password managers are safe, but few would argue that the risk model reduces the risk of individual password leaks more than the risk of all your passwords leaking. It's a tradeoff.
2- Cat and mouse security: There's a class of security decisions that work because they are new and different. First the weakness was that passwords were short, then you make passwords long but unmemorable, so people rely on some other mechanisms to authenticate, like a file on their computer, a drive, a fingerprint, facial recog, which may in turn be protected by a second factor password.
At first the new security model will not be stressed, but as more users migrate from one security model to the next one, that's when you are able to compare the security of both technologies, it starts being a juicy enough target that it becomes attacked.
So we are at the point where password managers are used enough that they start becoming worthwhile targets of attack (to overcome the difficulty of vulnerating them).
Also worth noting that these attacks are more winner-takes-all. In the sense that rather than seeing one account hacked every couple of hours, you will see them all hacked at once, because you introduced a vendor in the password supply chain AND because the vendor centralizes all of the passwords. So target that one vendor and from a single attack you get all the spoils. So when comparing the security of the olden method and the new, just 1 incident is enough to undo all of the reputational gains it has made over the years.
amenghra 4 hours ago [-]
Password managers (whether it's Lastpass or your browser's built-in password store) also protect against phishing since they tie passwords to domain names.
I don't think password managers which store encrypted vaults are less safe than trying to have and juggle strong unique-per-domain passwords, even if you think that the password manager is becoming a target.
al_borland 4 hours ago [-]
When they work… I finally gave up on 1Password as it has been getting worse and worse about actually autofilling for a few years. After all the Avengers turned into investors and the price increase was announced, I jumped ship. It felt like they were more worried about their ROI than the product. After 18 years of use, this was pretty disappointing.
amenghra 3 hours ago [-]
For personal use, Bitwarden + a Raspberry PI should work perfectly fine. Your devices will sync when you are home. If they get out of sync, your fallback is to password reset. Or use your browser's built-in password manager which also syncs in most cases. I prefer to be browser-agnostic since it gives an easy solution to handle non-web passwords.
zarzavat 4 hours ago [-]
"Password manager" used to mean a program that runs locally on your computer. At some point people started making it into a SaaS, because that's more profitable.
I do think there are some cases where an online password manager makes sense, e.g. for businesses, but for individuals it's better to just stick with an offline password manager, at least for the high value accounts.
pdimitar 4 hours ago [-]
You can and should have the best of both worlds. Using Enpass, the program _is_ local, it just backs up the entire database (encrypted SQLite3) to a cloud.
But if even that is too much then f.ex. `keepass` + a scheduled script to periodically backup to your own servers is also perfectly viable.
NoMoreNicksLeft 3 hours ago [-]
>At some point people started making it into a SaaS, because
Wait. That's a thing? Like, there are drooling, mouth-breathing stooges out there that would trust not just one of their passwords to such a thing, but all their passwords to it?
Biganon 55 minutes ago [-]
Are you sarcastic, or do you not realize your vault is encrypted with your master password and never readable to the service?
mkayokay 2 hours ago [-]
heavy mouth-breathing
panick21_ 3 hours ago [-]
It became SaaS because its more practical when you have many devices or many users.
acheron 4 hours ago [-]
The article is about a marketing data breach, not passwords.
al_borland 4 hours ago [-]
From a marketing perspective, a data breach of any kind looks horrible for a company whose entire job is keeping secrets safe.
TZubiri 2 hours ago [-]
I understand, just making a general comment.
And it's not unheard of that infections metastize, whether into developer accounts, product code... Probabilistically, this was a shot on goal.
I apologize for the mixed metaphors.
rpdillon 4 hours ago [-]
> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
kijin 3 hours ago [-]
It's not just about long vs. short passwords. IMO the greatest benefit of having a password manager -- whether it's a bloated Electron app or just a text file on your computer -- is that it enables you to juggle hundreds of different passwords, randomly generated for each site. It's the best way we know of to limit the blast radius when (not if!) some of those sites inevitably get hacked.
dist-epoch 2 hours ago [-]
We need a bitcoin hardware wallet kind of password manager, where the actual passwords are stored on a hardware security key. When you click on the computer on the password you want to use, the hardware security key shows it's name on it's screen, and asks you to press a button on it to confirm that you want to use it.
For backup, the hardware security key let's you download a file from it with all of your passwords encrypted, and the decryption password it's shown on it's screen (something like 12 random words)
>“On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems,”
The specific dependency that gets companies infected, and the optics that result, are so important. There have been sillier examples, but you can see how in this case, the priority of sales and profits has resulted in the sacrifice of the main quality measure of their main and only product.
psandor 4 hours ago [-]
“ the priority of sales and profits has resulted in the sacrifice of the main quality measure of their main and only product”
What do you mean exactly here What do you think LastPass could have done to prevent this specific issue?
khurs 4 hours ago [-]
Did they need to give them all of this?
customer names,
phone numbers,
email addresses,
physical addresses,
support case data,
sales-related data.
lyu07282 4 hours ago [-]
Bitwarden doesn't redirect you to a third party if you visit their support page:
So this couldn't have happened to bitwarden, you own the reputation loss if any of your suppliers get owned. Though it really doesn't matter anymore for LastPass they leaked their customers vaults before, I have no idea how they can still be in business.
pasc1878 3 hours ago [-]
Not supply the information to any other company.
TZubiri 2 hours ago [-]
Not installing the infected package of course.
It's worth noting that this is not 'their marketing provider' what they do is load 30 different providers for some reason, to maximize the reach of their data sharing and advertising network. Well, their network reached too far and touched an infected node.
gomox 17 minutes ago [-]
You have no idea what Klue is
fn-mote 4 hours ago [-]
> the priority of sales and profits has resulted in the sacrifice of the main quality measure of their […] product
To be fair, and I don’t want to, supposedly the only thing that was compromised was contact info. No vaults were exfiltrated or unlocked (as far as the article info goes).
So this is really just another very boring info breach, not a targeted password-stealing hack.
The other breaches they suffered were worse.
throwawayffffas 4 hours ago [-]
So... you business plan is to secure peoples personal data by handing some of that data to a third party. Got it.
cyanydeez 4 hours ago [-]
the Achilles heel of a "secrets vault" is it becomes a defacto priority target. I still dont see how any reasonable person was convinced a cloud service was the best place to put all their secrets.
throwawayffffas 4 hours ago [-]
The problem is not the secrets vault. It's the casual acceptance of giving peoples data to third party processors. What value do last pass customers get from having their details passed on to a marketing firm? None. For all the talk of privacy and putting customers first they are acting like any other company in any other field.
tlb 4 hours ago [-]
Gmail is at least as large a target, and they don’t keep having breaches.
paulbjensen 3 hours ago [-]
Once more onto the breach…
jrm4 2 hours ago [-]
Lol. Again.
Private company third party password managers are bad. Across the board. They're a bad idea.
Deeply localized actual best practices can help solve this. Private companies can also help, but only if it isn't in the form of "you can't have this unless you pay for it." The point is, it's like fighting fires, you can't isolate it.
It's a complete dead-end and the sooner the industry realizes this the better.
greenavocado 2 hours ago [-]
This is why I use Microsoft Teams and Outlook as my password manager. I just save my passwords to draft or email them to my coworkers so they never lose track /s
Rendered at 16:19:37 GMT+0000 (Coordinated Universal Time) with Vercel.
With something like LastPass it's also much easier to create unique strong passwords for other sites.
Also, let's be real:
> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already. This has nothing to do with the security of your passwords stored in LP. They have some CRM, some person from their 800 employees clicked a sketchy link and it leaked that. It's not good, but its hardly an indictment of their product or usefulness
> With something like LastPass it's also much easier to create unique strong passwords for other sites.
Sure, but LastPass, in addition to being the least secure option, doesn't even have a good user interface, and it's expensive. There are dozens of other password managers out there, each one better than LastPass in every way.
Switching takes time and energy.
Changing all your passwords after you switch so they aren't potentially exposed in the next LastPass break takes time and energy.
People have a lot of things going on and have to make a decision about whether the risk justifies the effort.
Then there's feature gaps. LastPass is available on all platforms, has convenient sharing, a good story for emergency recovery if I'm incapacitated and want family to get access to things, and support for 2FA options such as Yubikey. Most competitors lack at least some of those, which is an issue if you're relying on them.
Personally, I left Lastpass for 1Password several breaches ago, but it took me a couple weeks of research to decide where to move to, at least a week of changing passwords on sites afterwards, and however much time and energy it took me to help others who I share credentials with switch at the same time.
Right, but LastPass is a company that wants to make you believe that you can trust them with some of your most important assets.
--
Probably related to this:
https://www.bleepingcomputer.com/news/security/lastpass-conf...
“On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems,” LastPass says.
"We immediately launched an investigation and learned that, as part of this incident, an unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass.”
“The threat actor then used these credentials to access LastPass customer data within our Salesforce environment.”
Their biggest security hole is probably somewhere in the operational pipeline between 1P browser client developers and the static file servers hosting them.
Would you be okay will a public database of all people's names, emails, addresses, phone numbers, and other contact details? After all, most people's data have already been leaked somewhere. Credit reporting agencies have leaked more sensitive data. I, for one, still expect companies to keep my private data private. Especially companies who's started purpose is to keep my secrets secret. It's a bad look for them and if I trusted them this would make me lose my trust in them. But, they already lost my trust two or three (I lost count) breeches ago.
The damage is already done. Your private information was already leaked long ago. You can't make a sunk boat more wet.
Since we still use SMS as second factors (or primary, as some in this thread said they don't write down passwords but just use password reset links to login), it's not the best security hygiene
Yeah but wanting a product like LastPass doesn't require that you use LastPass. There are many good alternatives.
I don't get how you think some other competitor would be better suited against this threat. The right solution is to mitigate the damage. CRM has minimum available stuff, like names, addresses, etc. Don't keep stuff like payment information, passwords, etc in that place as that's the vulnerable system. It seems like that's what LP does and probably every other company in this space does.
Again, it's entirely reasonable to have an off the shelf CRM, pretty broad access to it. You try to prevent phishing email or phone scams (assuming this is what it was) but you have 800 employees, its bound to happen.
Use any of the other password managers that don't have the poor security history that LP do.
What you are describing is a password manager. No one here is questioning why people would use a password manager. That's like asking why people would use a toothbrush. The question is why anyone would use LastPass as their password manager.
> Also, let's be real:
> > The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already.
I'm sorry to put it so bluntly, but this comment strikes me as really baffling.
LastPass has a very long history of breaches, some of them very severe with a big fallout. It's at the point where the yearly LastPass breach has become a meme just like the yearly T-Mobile breach. It makes no sense whatsoever to look at this incidence without that context and to claim "it's not that bad, they only leaked xyz".
On another note, of course does a breach tell something about the security practices of a password manager company. You really want the developer of your password manager to have good security practices and any sign to the contrary is concerning even when it is not directly related to the core product. Of course security is not about absolutes and mistakes and incidents do happen – what counts is how, how is dealt with them and if they repeat. In the case of LastPass history, including this breach, shows that they have atrocious security and you do not want to let your credentials get any millimeter closer to them than you can possibly avoid.
> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already.
Again, I'm sorry for being so direct, but this argument annoys me greatly: This argument – that others have done similar bad already and similar harm has already been done – is beyond stupid and needs to die. It's why slippery slopes are real. It's the reason why normalization of bad things happen. It's what people with bad intentions continuously use with great success to slowly make their bad deeds socially acceptable.
When my neighbor dumps his trash on the street that does not allow me to do the same and does not make it any better if I do. I will be just as much in the wrong as him. The only difference being – when I use that excuse – that I will also be a coward.
The wrongdoing of others is never an apology to do the same; and just because something bad is normal does not make it any better and it is especially not an argument for making it even worse.
If you want to be a security vendor reseller, just make sure to sell to orgs that have a compliance requirement, either by law or similar.
Do you sell firewalls? sell them to banks or something. Anti-malware endpoints? Insurances too. SIEMs? payment gateways for their PCI DSS environments.
Price it just below what would be the fine for not complying, that way you maximize the invoice.
I stopped playing the security vendor reseller game because it got too boring this way to make money.
The way to stop this is to have actual consequences for the decision makers here. You can build high-integrity software and some fields (avionics) have done it. But the organization needs to be built from the ground up to do it and nobody's going to do it if you can just get breached and offer a phony apology over and over again.
Crowdstrike had a famous incident and is still probably #2 in the cybersecurity world. Sometimes assessing risk is a funny business.
Because savings are promised. And who could say no to AI? (/s)
There's always some risk mitigation possible but it's costly or inconvenient. Companies pretend the risk is lower so they can do whatever they wanted to do but now with less accountability. The risk matrix says so.
But sometimes the tradeoff is genuinely not worth it. The bottom line is that each company has to do it's own calculations and decide whether moving is overall a better choice. Which risk is higher, that your provider is breached again or that you have new operational issues with the new solution. Which costs more, a chance of another security issue, or the guaranteed expense of replacing the solution? You do the same math at home all the time. Your washing machine leaked once, do you replace everything or just patch the hole?
Lastpass is owned by PE. Why? Because Francisco Partners and Elliott Management bought a cashflow that is sticky. Its why most software companies were acquired by PE prior to the Cambrian explosion of generative AI.
I’m not saying I recommend LastPass for that reason, but I wouldn’t write them off for that reason.
I’m not saying you’re wrong, I’m saying you can’t tell from this incident.
Setting up KeePassXC is trivial.
OK their Mac UX is great, but given their rate of incidents how can you trust it?
Clearly this stuff is not actually bought based on track record.
Having your own auth workflow was instant fail with the well architected framework committee. Using Okta was instant pass.
I don't necessarily disagree with that policy but given that Okta was breached several times while I was working there, it was interesting the extent to which our CSO had blinders about it.
e.g. when Crowdstrike takes down Windows across the worlds or AWS east coast falls over everybody hurts. At that point the story is easy, you point at the broken thing, mumble something about improving resilience, and everyone just moves on.
Roll your own system and have it taken down / breached specifically? There's noone to point at. It's hard to make the narrative anything except it being your fault.
Companies deal with leaked secrets a lot. A company already using a password manager is ahead of the game.
Suppose they move to a competitor. That's a migration and training that someone has to drive. What do they gain? Another company that can also have exploits? Or they self-host, and now have to fund that, and still potentially get exploits?
Ultimately, this likely isn't that big of a deal for a company.
And they have to weigh it up against all the other things that they can be doing.
Those companies do not have the same number and severity of security incidents. lastpass is truly in a category of its own
but there is a non-trivial switching cost to migrate several people (with varying technical aptitudes) that each use several platforms.
if 1password had a one-click migration flow they'd be able to win over a lot of converts.
https://support.1password.com/import-lastpass/?mac
“Yeah, but they fixed that!”
Normies don’t pull the historical list of breaches and vulns.
They just read headlines.
>"Klue has not said how many of its hundreds of customers are affected. Several companies have come forward to confirm they had data stolen during the attack, including Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium."
>Cybercrime group Icarus took credit for the breach, saying on its leak site that it will publish the stolen data on Monday if the company does not pay the hackers’ ransom."
https://techcrunch.com/2026/06/22/klue-hack-results-in-data-...
> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
but for the past couple years I've just generated and forgotten 90% of my passwords. the final 10% I keep in a password manager. But if the service isn't really that important I just use the 'forgot my password' to change and generate a new password every time I need to login
In the end for a lot of services controlling your email is defacto controlling the login.
This approach seems better to me. For one thing, I'd already be screwed if someone malicious got into my Google account, probably worse than if they got into my password manager. And additionally, this means they're not creating an absolute jackpot of data to breach in a centralized place. No one's gonna hack Enpass of all their passwords because that would require hacking all of Google Drive, Dropbox, iCloud, etc. and looking for the files manually.
i can sympathize a little bit with companies that stick with lastpass. when i had to switch an org from lastpass to 1password, it was a massive undertaking and incredibly annoying. however, i have no sympathy for anyone who has chosen lastpass after 2022.
The non-story here is the data is of minor criticality.
The real story is is that however minor, you expect LastPass to be better. They’re a password storage company, in order to be trusted they need to be better than this.
It's a purpose specific knowledge base, not a data broker or any sort. But it will surely have information of who you sold to or tried to sell to because of it.
> Yes, in a separate breech.
Not nearly that cut and dry.
Many, not all encrypted vaults leaked out. If you lost data it was because you used a weak master password for that vault.
> If you lost data it was because you used a weak master password for that vault.
Even this is more complex (horrible pbkdf2 defaults, you're welcome for getting lastpass to increase them btw that was me) but it isn't relevant, no vaults are accessed in this breach.
The first step was easy. The account creation and import of legacy data all went pretty well. But after that it wasn't so pretty.
The first hurdle was trying to understand their model for sharing data (so my wife and I can share important credentials). The model that LastPass uses is pretty intuitive to me: it's just a matter of sharing a folder, so relatively transparent. But Bitwarden has a whole separate concept of "organization", and the items being managed don't go in "folders" here, but in "collections". So there are two separate, and subtly different, models in play, and this is confusing. The good news is that the client aggregates the data so when you're using it day-to-day to fill login forms, you don't have to worry about the differences.
Once I'd gotten the data in place, I had to get the clients set up on the various platforms (browser extensions; desktop native, which is actually required for the browser extension's security to work right; phone). The OoB settings were entirely paranoid, and had me re-entering the complex master password over and over, really annoying me. Figuring out how to get to a reasonable balance required figuring out some settings whose labels are misleading. For example, "Unlock with PIN" sounded to me like it was going to add an extra layer of security, but it turns out that it really means "allow unlock using PIN in lieu of master password".
Also, note that while most of the settings default to paranoia-level (like the "require master password every time I inhale", that I mentioned above), you will probably want to change the default crypto cypher. It defaults to PBKDF2, but a better modern approach is the other choice, Argon2id.
...which also reminds me that there's a distinct lack of parity between client platforms. Although you need the desktop native app to manage browser extension security, there's a bunch it can't do. For example, after importing my legacy data, I needed to select all the contents of my LP shared folders and move them to the BW organization collection, but the native app (which seems to be an Electron app, btw) doesn't have a multi-select feature; you need to do that in the online web app.
[0] https://keepassxc.org/
There are a few decent Android and iOS apps that work well. I use Nextcloud and WebDAV for access.
Not a setup I can recommend to just anybody though.
The need to have an opinion on how you’d like to sync a file does, as you suggest, eliminate some portion of the population who need a fully baked answer in one step.
I used to use Google Drive, but now I use Syncthing, further reducing my exposure. Paired with Synctrain and KeePassium on iOS.
One tip: enable the atomic save option in settings to reduce the risk of weird cloud sync issues.
For syncing, I do it manually with rsync. Given the database is 1 file it's easy to move around. You can rsync / scp it over, use a USB cable, use cloud storage, etc..
I use a password manager in a "read many, write infrequently" way so I don't mind occasionally syncing it as needed.
I’m sure it works for many people to Dropbox their vault around anytime they want to access something and manually handle copies and sync. I’m not nearly so naive as to think that has any degree of success outside tech bubbled people.
Well, I hope Klue got them more customers than they are losing due to this.
1- Tradeoff individual account risk, for systemic risk. You may argue password managers are safe, but few would argue that the risk model reduces the risk of individual password leaks more than the risk of all your passwords leaking. It's a tradeoff.
2- Cat and mouse security: There's a class of security decisions that work because they are new and different. First the weakness was that passwords were short, then you make passwords long but unmemorable, so people rely on some other mechanisms to authenticate, like a file on their computer, a drive, a fingerprint, facial recog, which may in turn be protected by a second factor password.
At first the new security model will not be stressed, but as more users migrate from one security model to the next one, that's when you are able to compare the security of both technologies, it starts being a juicy enough target that it becomes attacked.
So we are at the point where password managers are used enough that they start becoming worthwhile targets of attack (to overcome the difficulty of vulnerating them).
Also worth noting that these attacks are more winner-takes-all. In the sense that rather than seeing one account hacked every couple of hours, you will see them all hacked at once, because you introduced a vendor in the password supply chain AND because the vendor centralizes all of the passwords. So target that one vendor and from a single attack you get all the spoils. So when comparing the security of the olden method and the new, just 1 incident is enough to undo all of the reputational gains it has made over the years.
I don't think password managers which store encrypted vaults are less safe than trying to have and juggle strong unique-per-domain passwords, even if you think that the password manager is becoming a target.
I do think there are some cases where an online password manager makes sense, e.g. for businesses, but for individuals it's better to just stick with an offline password manager, at least for the high value accounts.
But if even that is too much then f.ex. `keepass` + a scheduled script to periodically backup to your own servers is also perfectly viable.
Wait. That's a thing? Like, there are drooling, mouth-breathing stooges out there that would trust not just one of their passwords to such a thing, but all their passwords to it?
And it's not unheard of that infections metastize, whether into developer accounts, product code... Probabilistically, this was a shot on goal.
I apologize for the mixed metaphors.
For backup, the hardware security key let's you download a file from it with all of your passwords encrypted, and the decryption password it's shown on it's screen (something like 12 random words)
https://news.ycombinator.com/item?id=48647272
Third time's the charm
The specific dependency that gets companies infected, and the optics that result, are so important. There have been sillier examples, but you can see how in this case, the priority of sales and profits has resulted in the sacrifice of the main quality measure of their main and only product.
What do you mean exactly here What do you think LastPass could have done to prevent this specific issue?
customer names, phone numbers, email addresses, physical addresses, support case data, sales-related data.
https://bitwarden.com/help/
But LastPass does (Salesforce CNAME):
https://support.lastpass.com/s/?language=en_US
So this couldn't have happened to bitwarden, you own the reputation loss if any of your suppliers get owned. Though it really doesn't matter anymore for LastPass they leaked their customers vaults before, I have no idea how they can still be in business.
It's worth noting that this is not 'their marketing provider' what they do is load 30 different providers for some reason, to maximize the reach of their data sharing and advertising network. Well, their network reached too far and touched an infected node.
To be fair, and I don’t want to, supposedly the only thing that was compromised was contact info. No vaults were exfiltrated or unlocked (as far as the article info goes).
So this is really just another very boring info breach, not a targeted password-stealing hack.
The other breaches they suffered were worse.
Private company third party password managers are bad. Across the board. They're a bad idea.
Deeply localized actual best practices can help solve this. Private companies can also help, but only if it isn't in the form of "you can't have this unless you pay for it." The point is, it's like fighting fires, you can't isolate it.
It's a complete dead-end and the sooner the industry realizes this the better.