undefined | Better HN

0 pointsmoneywoes4y ago0 comments

This article mentions that there were users with unique LastPass passwords who had this occur. Also, I guess they have no incentive to admit a breach

0 comments

tgsovlerkhgsel4y ago

> I guess they have no incentive to admit a breach

It's an interesting game: Reputation is essential to their business. Admitting a breach will harm their reputation, denying it and then getting caught will harm it a lot, but denying it without being proven wrong will probably harm their reputation less (than an admission).

Personally, I'd rather trust a provider that admits a breach, provides transparency, demonstrates good incident response, and hasn't shown complete incompetence from the breach than a provider that has credible rumors of a breach and no good explanation, but I think I'm in the minority here.

Notably, TeamViewer had one of these "rumors but denying a breach and claiming credential stuffing" cases (they later admitted that they also had an earlier but unrelated intrusion that they kept secret for three years, which doesn't help). I think that if it was more than credential stuffing (that's a big if, the credential stuffing explanation is plausible), the strategy worked much better than admitting a breach.

pelorat4y ago

LastPass doesn't store passwords on their servers, so it's not some magical breach.

gruez4y ago

Right, but from an earlier HN thread people were saying their support forums prompted for their master password to log in?

SV_BubbleTime4y ago

How is this different from “enter your password and we’ll deliver your blob” and “enter your password and we’ll deliver you a login cookie”?

Neither way “must” they have stored your master password.

j / k navigate · click thread line to collapse