LastPass notifies users of yet another data breach

lyu07282

https://news.ycombinator.com/item?id=48657784 https://news.ycombinator.com/item?id=48647272 Third time's the charm

TZubiri

Using a password manager has 2 main tradeoffs and mistakes: 1- Tradeoff individual account risk, for systemic risk. You may argue password managers are safe, but few would argue that the risk model reduces the risk of individual password leaks more than the risk of all your passwords leaking. It's a tradeoff. 2- Cat and mouse security: There's a class of security decisions that work because they are new and different. First the weakness was that passwords were short, then you make passwords long but unmemorable, so people rely on some other mechanisms to authenticate, like a file on their computer, a drive, a fingerprint, facial recog, which may in turn be protected by a second factor password. At first the new security model will not be stressed, but as more users migrate from one security model to the next one, that's when you are able to compare the security of both technologies, it starts being a juicy enough target that it becomes attacked. So we are at the point where password managers are used enough that they start becoming worthwhile targets of attack (to overcome the difficulty of vulnerating them). Also worth noting that these attacks are more winner-takes-all. In the sense that rather than seeing one account hacked every couple of hours, you will see them all hacked at once, because you introduced a vendor in the password supply chain AND because the vendor centralizes all of the passwords. So target that one vendor and from a single attack you get all the spoils. So when comparing the security of the olden method and the new, just 1 incident is enough to undo all of the reputational gains it has made over the years.

throwawayffffas

So... you business plan is to secure peoples personal data by handing some of that data to a third party. Got it.

jagged-chisel

How does anyone seriously trust LastPass anymore? Years ago, I was working for a company handling bank data. They were using LP immediately following a previous LP security incident and had no plans to migrate away.

fusslo

I'm sure this is worse than using lastpass in some way but for the past couple years I've just generated and forgotten 90% of my passwords. the final 10% I keep in a password manager. But if the service isn't really that important I just use the 'forgot my password' to change and generate a new password every time I need to login

variety8675

https://blog.lastpass.com/posts/klue-supply-chain-incident-a... > The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.

khurs

>an incident that occurred at Klue (klue.com), a third-party market intelligence platform Well, I hope Klue got them more customers than they are losing due to this.

khurs

Lots more companies affected. Some more listed below: >"Klue has not said how many of its hundreds of customers are affected. Several companies have come forward to confirm they had data stolen during the attack, including Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium." >Cybercrime group Icarus took credit for the breach, saying on its leak site that it will publish the stolen data on Monday if the company does not pay the hackers’ ransom." https://techcrunch.com/2026/06/22/klue-hack-results-in-data-...

chinathrow

Sitting here with my KeepassX and being happy, again.

insanitybit

This isn't great but it's not that big of a deal either. A lot of companies got bit by the Klue breach but it's not like your vaults are being accessed.

username135

I switched to keepass a decade ago (maybe) and never looked back

ChrisArchitect

Source: https://blog.lastpass.com/posts/klue-supply-chain-incident-a...

john_strinlai

any company that stuck around (or began using) lastpass after vaults were leaked probably does not care about this one at all, considering its just CRM data. i can sympathize a little bit with companies that stick with lastpass. when i had to switch an org from lastpass to 1password, it was a massive undertaking and incredibly annoying. however, i have no sympathy for anyone who has chosen lastpass after 2022.

paulbjensen

Once more onto the breach…

jrm4

Lol. Again. Private company third party password managers are bad. Across the board. They're a bad idea. Deeply localized actual best practices can help solve this. Private companies can also help, but only if it isn't in the form of "you can't have this unless you pay for it." The point is, it's like fighting fires, you can't isolate it. It's a complete dead-end and the sooner the industry realizes this the better.

felooboolooomba

Any detailed info on why Klue had this data, apart from being their partner? How does it serve LastPass customers to give that data to Klue?

greenavocado

This is why I use Microsoft Teams and Outlook as my password manager. I just save my passwords to draft or email them to my coworkers so they never lose track /s

thenews

oh well, time to remind users of keepass

giancarlostoro

I ditched LastPass long ago for BitWarden, though I mostly use the Passwords app from Apple now.

angelmm

Quite happy I moved away from LastPass long time ago. There are many options out there you can use.