TL;DR: Last Pass is broken. All passwords at the time of the breach were taken. They also got internal secrets from a laptop and can now probably throw computational power at anything they want to decrypt.

Switch. Do not use. Change everything you have if you were using it. Treat everything as breached.

  • MaoistLandlord [he/him]
    ·
    2 years ago

    The data accessed from those backups included system configuration data, API secrets, third-party integration secrets

    It’s almost as if security should be publicly audited and based on well known encryption methods and not obscurity

    • Awoo [she/her]
      hexagon
      ·
      2 years ago

      The whole thing is a complete and total disaster. If you click through to the page about what was taken it's basically fucking everything. They must be treated as completely insecure, all secrets stolen, someone out there very probably has the ability to just access anything they want if they know what to do with it.

      It's the worst breach I think I have ever seen.

      • MaoistLandlord [he/him]
        ·
        2 years ago

        The best part is that the press release doesn’t cover everything. Media outlets have been reporting that only a few people had access to this information, like 4 or so. And they were able to access it via their home devices and didn’t use a company device lol