I'm not too worried because anything important that I have in LP is protected by 2fa. It's notable that the author says his accounts are protected by 2fa, but I don't understand how LP being hacked would allow an attacker to defeat that.
Just for your consideration, I'd bet good money that the 2FA only protects against login credential stuffing, but the vault data is only protected by your master password and can be attacked offline and indefinitely
I mean the individual accounts are protected by 2fa. I have an account or two where I know the password has been leaked but they're so unimportant that I can't be bothered to change the passwords. They still can't get in without my approval.
he said his seed phrases were in lastpass. There is no 2fa protection for private keys if the assets are in his crypto wallet and he's custodying them.
He said there wasn't much value in the wallets. Doesn't strike me as crazy to keep a small amount in something convenient. You see a similar convenience/security trade off made by big players, with immediate transactional needs satisfied by online/hot wallets and reserves held in offline/cold wallets.
I can see it both ways. It is putting all your eggs in one basket. The flip side is your vault is supposed to be protected enough that shouldn't be an issue.
