- "Our investigation to date has not indicated that any sensitive user data was lost or compromised"
- "No master password change is required"
- "No site credential passwords need to be changed"
Given the fact that an attacker could run code in a user's browser extension without any communication with Lastpass servers, there was no way for them to know whether the master or site passwords had been stolen. The only responsible thing for them to do at that point in my view was to recommend everyone change all their passwords. Instead they completely played it down.
So they completely lost my trust and I spend the next several days moving off Lastpass and changing the passwords for hundreds of websites...I feel for all of you finding yourselves in that situation now. :-(
https://en.wikipedia.org/wiki/LastPass#2017_security_inciden...
It wasn't so much that that happened, but rather their response:
https://blog.lastpass.com/2017/03/important-security-updates...
- "Our investigation to date has not indicated that any sensitive user data was lost or compromised"
- "No master password change is required"
- "No site credential passwords need to be changed"
Given the fact that an attacker could run code in a user's browser extension without any communication with Lastpass servers, there was no way for them to know whether the master or site passwords had been stolen. The only responsible thing for them to do at that point in my view was to recommend everyone change all their passwords. Instead they completely played it down.
So they completely lost my trust and I spend the next several days moving off Lastpass and changing the passwords for hundreds of websites...I feel for all of you finding yourselves in that situation now. :-(