Wladimir PalantDec 26, 2022

Writing more about #LastPassBreach feels like beating a dead horse. But I had a look at the official statement again and it is highly misleading. I felt the need to provide some context that #LastPass is willingly omitting.

“Again, it seems that LastPass attempts to minimize the risk of litigation (hence alerting businesses) while also trying to prevent a public outcry (so not notifying the general public). Priorities…”

https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/

What’s in a PR statement: LastPass breach explained

The LastPass statement on their latest breach is full of omissions, half-truths and outright lies. I’m providing the necessary context for some of their claims.

Almost Secure
Show threadolekDec 30, 2022
hey @WPalant I was a LastPass user, but I closed the account in October. Do you think my data is in danger?
Show threadWladimir Palant
@olek Yes, most likely. LastPass still won’t tell when the data was copied, but I strongly suspect that it was before October. And even for people who closed their accounts before August, the big question is whether the data was also removed from this “backup storage.”
Dec 30, 2022 at 9:33amWeb
Show threadolekDec 30, 2022
@WPalant understood 👍
shouldn't be like that LastPass sends an email to me with the information that my data has been breached?
Show threadWladimir PalantDec 30, 2022

@olek They did, to all the active accounts. Your fault, you having deleted your account at a wrong time. 🤷‍♂️

I wonder what the US law would say about it. Somebody should try it out.

Show threadolekDec 30, 2022
@WPalant that's wrong 😞 they should have informed me anyway...
Show threadWladimir PalantDec 30, 2022
@olek Yes, that was sarcasm. I’m fairly certain that the disclosure laws require them to notify affected former customers as well. Question is whether there will be any notable consequences for them because of failing to do so.
Show threadolekDec 30, 2022

@WPalant

I got your sarcasm 😄

let's say, I don't want to have anything to do with LastPass and I'm a happy customer of @bitwarden

what should I do, to be sure I'm not in danger? Change all the passwords that I imported from LastPass to Bitwarden?

Show threadWladimir PalantDec 30, 2022
@olek Yes, that would definitely put you on the safe side. At the very least it’s a good idea to change the password for important accounts (email, banking, shopping).
Show threadolekDec 30, 2022
@WPalant understood, will do! thanks for the advice 👍