Mastodawn

Jake Jarvis

@zackwhittaker when will they learn?!

Simon Zerafa Dec 2, 2022

@zackwhittaker

That needs to be archived somewhere before they decide to change it 😕

IridescentOx Dec 2, 2022

@simonzerafa @zackwhittaker Internet Archive/Wayback Machine are way ahead of you. LOL!

@simonzerafa @zackwhittaker :/

@simonzerafa @zackwhittaker At least I got a wget on the basic things of the page:

http://0x0.st/okSG.html

Our Response to a Recent Security Incident- GoTo

GoTo.com Blog

@simonzerafa @zackwhittaker Tried again. Still got pathetic results.

@simonzerafa @zackwhittaker Archive.is got my back too (It did take long tho).

https://archive.is/NXIL5

archive.ph

Winni Neessen Dec 2, 2022

@zackwhittaker That's just pathetic. As if this story would blow up in like any tech news source and therefore find it's way into search engines anyways. 🤷‍♂️

Wladimir Palant Dec 3, 2022

@winni @zackwhittaker It’s also weird. The more detailed description on the LastPass blog is indexable. So it’s really unclear what their idea was taking this article out of the search engines.

Nour Agha

@zackwhittaker That is sketchy as hell.

Baruch Katz Dec 2, 2022

@zackwhittaker I recommend #Bitwarden. Free. Open source. Zero breaches.

Alex Dec 2, 2022

@baruch @zackwhittaker I’ve read on here that a lot of people say that “zero breaches” just means zero publicized breaches. What would you say to that with respect to bitwarden?

BLACKVOID ⚫️Dec 2, 2022

@alexthepres @baruch @zackwhittaker That most of those are #selfhosted...

deltatux Dec 2, 2022

@alexthepres @baruch @zackwhittaker

That is true but at the same time, the great thing about #Bitwarden and the clean-room implementation of the #Bitwarden #API, #Vaultwarden are both open sourced and allows you to self-host. You don't have to trust #Bitwarden & #Microsoft #Azure for securing your data.

With the self-hosted solution, you can take control of your data and still be able to get all the convenience the platform provides including all the apps (mobile/desktop) and browser extensions.

dxzdb Dec 3, 2022

@baruch @zackwhittaker or 1password …. not free - worth every penny 😊

@zackwhittaker I am more on the side of “Lastpass did good, because they were transparent”. Well, that changes things a little.

hayden aiken 🇺🇲Dec 2, 2022

@iougiri @zackwhittaker LastPass has been very transparent. Their business partner has not been. Maybe they should reevaluate the partnership. But other than that, this really isn't on LastPass at all, is it?

@aikensource @zackwhittaker Yes, I think it is more on GoTo, but aren’t they still the owners of LastPass, not just business partners?

hayden aiken 🇺🇲Dec 2, 2022

@iougiri @zackwhittaker dang it... I did not realize that logmein rebranded as goto. UGH.
GoTo announced a year ago that they plan/ned to spin off LastPass again to it's own company but it's unclear for me if that actually occurred or not.

@aikensource @zackwhittaker Yes, it’s not entirely clear if anything happened in the last year regarding the spin-off. But GoTo still sees the need to do a press release regarding the breach. If they had had sold them, the only thing we would have heard from them right now would be a sigh of relief. Or opening of champagne bottles.

hayden aiken 🇺🇲Dec 2, 2022

@iougiri @zackwhittaker clearly they're operating under different management, that's for sure. This does make me feel squirmy though.

Matthew Varpness Dec 3, 2022

@aikensource @iougiri @zackwhittaker Maybe time to switch to #BitWarden?

Dec 3, 2022

@varpness @aikensource @zackwhittaker When LogMeIn was aquired by private equity firms a couple of years ago I switched to 1Password, but I think you cannot go wrong with BitWarden either, which I have since set up for family members.

Eric G Dec 2, 2022

.@zackwhittaker it's infuriating to know that LastPass unequivocally stated in September that no customer data was taken in the August breach, but admitted in the news for the latest incident that, yes, stuff WAS indeed taken in August.

Iñaki Calvo Dec 2, 2022

@zackwhittaker That's ugly. Here in Spain one of the largest electric companies used the same technique a few days ago to hide the landing pages for the plans that have the electricity prices set by the Government. Yeah, those plans offer the best value for consumers and the worst margins for electricity providers.

arkywarky Dec 2, 2022

@zackwhittaker wow that's totally chill and not wierd at all

Viss Dec 2, 2022

@zackwhittaker hey what a great tactic for a security company to use, right? fantastic. so excellent. lets all keep putting our passwords in the cloud! it'll be fiiiiiiine

Brian Sharwood Dec 3, 2022

@Viss @zackwhittaker Definitely looks bad on their part.
But it's also worth reminding folks that LastPass (and any other site worth their beans) use double encryption. Once the passwords are entered, they are encrypted in the database. Internal developers, or hackers cannot see them, even with full database access.

John-Mark Gurney Dec 2, 2022

@zackwhittaker
Alt text:
Screen shot of html code with the following segment highlighted:
<link href="https://www.goto.com/blog/our-response-to-a-recent-security-incident" rel="canonical" />
<meta name="robots" content="noindex, nofollow'">

Our Response to a Recent Security Incident- GoTo

GoTo.com Blog

Marc Reeve Dec 2, 2022

@zackwhittaker sneaky bastards

Athena L.M.Dec 2, 2022

@zackwhittaker Image description: HTML code from a <head> section. Highlighted is a <link> element pointing to the blog post in question with rel="canonical" and a <meta> element, name="robots" content="noindex, nofollow".

phytolipide Dec 2, 2022

@zackwhittaker What does this mean on a practical level? They seem to be saying that encrypted password vaults weren't leaked. Should we still consider changing passwords?

CoachHillary Dec 2, 2022

@zackwhittaker
Sneaky.

Bret Mogilefsky Dec 2, 2022

@zackwhittaker

Flynn Dec 2, 2022

@zackwhittaker This is cynicism at it's highest art.

Maddler

@zackwhittaker I'd struggle to trust them

Sven Dec 2, 2022

@zackwhittaker they also have "interesting" URLs for the webfonts right below that :D

Szymon Nowicki Dec 2, 2022

@zackwhittaker any idea what is this *CDN* placeholder pattern for prefetch links?

רני, אבו הוביט Dec 2, 2022

@zackwhittaker cc @barzik #cybercyber

keplerniko Dec 2, 2022

@zackwhittaker why’s Canonical mentioned? Ubuntu?

Drew Kirkman Dec 3, 2022

@keplerniko Perhaps the adjective “canonical” rather than Canonical Ltd

keplerniko Dec 3, 2022

@kirkman yep I think you're right, was not familiar with that bit of HTML code

sen Dec 3, 2022

@keplerniko @zackwhittaker 𝚛𝚎𝚕=‘𝚌𝚊𝚗𝚘𝚗𝚒𝚌𝚊𝚕’ is a way to indicate that the page that’s being linked to is the only one that should be shown if a search engine finds multiple pages with the exact same data for whatever reason.

Pseudo Nym Dec 2, 2022

@zackwhittaker Not a good look. #infosec #breach

ivanmoore Dec 2, 2022

@zackwhittaker is this what Dijkstra meant by "goto considered harmful" ?

rastinza Dec 2, 2022

@zackwhittaker I have an account there which I'm not using, why wasn't I contacted about this?

Sir Dr Rusty o the Isle 🖤💛❤️Dec 2, 2022

@zackwhittaker
Whoa

Eddie Coldrick 💻Dec 3, 2022

@zackwhittaker what is the point of writing a blog post if nobody can find? Perhaps it was sent in an email notification. Seems a bit silly to me.

Matt Goldman

Dec 3, 2022

@zackwhittaker GoTo Considered Harmful

makanaima Dec 3, 2022

@zackwhittaker that's despicable. I'm glad I don't use them.

Stephen Yeargin Dec 3, 2022

@zackwhittaker Kinda hard to control the messaging around an incident when you deliberately take yourself out of the conversation. 🤦‍♂️

PapaErnie69 Dec 3, 2022

@zackwhittaker That seems quite a bit dishonest. I'll just keep #selfhosting my own bitwarden instance and keep away from LastPass.

Erwin van Londen Dec 3, 2022

@zackwhittaker very sneaky.

brendan

Dec 3, 2022

@zackwhittaker I switched from LastPass to a self hosted Bitwarden, but never deleted my LastPass account, due to having an active subscription. This pushed me to delete my account permanently.

https://en.m.wikipedia.org/wiki/Hanlon%27s_razor

Meatbunny Dec 3, 2022

@zackwhittaker Hanlon's razor says this is probably just a mistake by some random developer or manager.

You can't really expect to hide something like this after sending out millions of emails.

Hanlon's razor - Wikipedia

0xThylacine Dec 3, 2022

@zackwhittaker I guess the elephant in the room (not sorry) is asking:

Lastpass:
1) Do you honestly believe that attempting to hide and conceal your ineptitude at security, serves the greater public good, or your bottom line, the most?

2) Do you honestly believe it is ethical to try and conceal your ineptitude from the public? Who gains from this stance, you or the public?

My belief is the answer to both those questions, from the available evidence at hand, is that you don't care one iota for the customer, but only about yourself.

The public urgently awaits your response, because what we can see right now, smells like a bucket of prawns left in the hot sun for a week. And it's not pretty.