Oops. It wasn’t just account information… It was your passwords too!

The Verge:

If you have an account you use to store passwords and login information on LastPass, or you used to have one and hadn’t deleted it before this fall, your password vault may be in hackers’ hands. Still, the company claims you might be safe if you have a strong master password and its most recent default settings. However, if you have a weak master password or less security, the company says that “as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.”

If I were a LastPass user, I’d be very worried.

I’d probably move to another service, or find an on-premises solution that doesn’t rely on trusting someone’s ability to implement security correctly.

Whether or not they had played fast and loose with the security of their customer’s data or not is irrelevant —unless you are an EU Citizen, and perhaps you should look at provisions under the GDPR for redress. I’m not a lawyer, yada yada…— their slow drip feed of disclosure is unforgivable.

They either knew and were withholding information (did someone mention GDPR?), or they didn’t know that they had put customer password data on backups, albeit encrypted. Both are dreadful examples of management.

There are a number of commentators speculating that cracking this data will take millions of years. I doubt it. Quantum computing, for one, is likely to solve that problem soon. Two, that estimate only holds true if we are static and don’t progress. A hundred years ago, we couldn’t imagine that we would have things we take for granted today in less than a million years.

23 December 2022 — French West Indies