![]() ![]() Any specific advice on mitigating the fallout of the breach, assuming that it isn’t too late already? There doesn’t seem to be any. So it’s now considered generic advice for LastPass users. Instead, the detailed advisory moved to the “Get Started – About LastPass” section of their support page. So maybe some better advice has been published in the six months which passed since then? But this sounds like a commitment to improve. We have learned a great deal and are committed to communicating more effectively going forward.Īs I’ve outlined above, the detailed advisory published simultaneously with this blog post still left a lot to be desired. I accept the criticism and take full responsibility. I acknowledge our customers’ frustration with our inability to communicate more immediately, more clearly, and more comprehensively throughout this event. Improvements?Ī blog post by the LastPass CEO Karin Toubba said: This advice should have really been:ĭepending on the length and complexity of your master password and iteration count setting, you may want to reset all your passwords.īut this would amount to saying “we screwed up big time.” Which they definitely did. Resetting the master password will help protect against future breaches, but it won’t help with the passwords already compromised. The advice was:ĭepending on the length and complexity of your master password and iteration count setting, you may want to reset your master password.Īnd this is just wrong. It was master password first, iterations count after that, and all the generic advice at the end.Įxcept: they still failed to admit the scope of the breach. ![]() Rotate K2 ASAP.” Instead, it said “If, based on your security posture or risk tolerance, you decide to rotate the K1 and K2 split knowledge components…” That’s the conclusion of a large pile of text essentially claiming that there is no risk.Īt least the advisory for individual users got the priorities right. And then the recommendation didn’t actually say “You are in danger. It seems that LastPass considered generic stuff like advice on protecting against phishing attacks more important than mitigation of their breach. We also learned that business customers using Federated Login are very much affected by the breach, the previous advisory explicitly denied that.īut even now, we learn that indirectly, in recommendation 9 out of 10 for LastPass’ business customers. That’s where we finally learned some more about the breach. It took LastPass another two months of strict radio silence to publish a more detailed advisory. The statement concluded with “There are no recommended actions that you need to take at this time.” I called this phrase “gross negligence” back when I initially wrote about it, and I still stand by this assessment. In fact, people who created their accounts a while ago and used very outdated (insecure) settings never saw as much as a warning. For example, it talked a lot about LastPass’ secure default settings but failed to mention that LastPass never really enforced those. Yet rather than taking responsibility and helping affected users, their PR statement was designed to downplay and to shift blame. It happened more than three months after the users’ data was extracted from LastPass servers. LastPass’ initial communication around the breach has been nothing short of a disaster. Update (): It looks like at least the issues listed under “Secure settings” are finally going to be addressed. ![]() So far I failed to find evidence of any improvements whatsoever. So let’s take a look at whether they managed to deliver. LastPass promised to improve, both as far as their communication goes and on the technical side of things. This was not so much because of the breach itself, such things happen, but because of the many obvious ways in which LastPass made matters worse: taking months to notify users, failing to provide useful mitigation instructions, downplaying the severity of the attack, ignoring technical issues which have been publicized years ago and made the attackers’ job much easier. The criticism from the security community has been massive. In September last year, a breach at LastPass’ parent company GoTo (formerly LogMeIn) culminated in attackers siphoning out all data from their servers. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |