LastPass Says Hackers Stole Customer Support Case Data During Klue Breach (techcrunch.com) 22
LastPass says hackers stole customers' personal information, support case records, and sales data by breaching market research partner Klue. The password manager told TechCrunch that its own systems and password vaults were unaffected. However, the hackers used their access to obtain "reams of data about LastPass customers," the report says. From the report: In a blog post that shared information about the incident, LastPass said the hackers took customers' names, phone numbers, email addresses, and physical addresses, as well as customer support case data and sales-related data. It's not yet known what was in the contents of customer support tickets, although they likely contain fragments of potentially private or sensitive information. Customers typically contact customer service when they are having a billing issue or need assistance in gaining access to their accounts. Past incidents involving customer support tickets have included credentials and government-issued identity documents. The last data breach LastPass reported was in 2022, when hackers stole the company's entire store of customer password vaults.
You're having sex with every LastPass partner (Score:5, Insightful)
The expression "when you have sex with someone, you're having sex with every one of their partners as well" appears to apply to security software providers as well.
I guess ... (Score:4, Funny)
Re: (Score:1)
[golf-clap]
Great idea (Score:3)
I mean... people still buy M$ products, too. (Score:2)
Re: (Score:2)
Potentially private or sensitive information? (Score:4, Insightful)
Re: (Score:2)
"I'd wager a guess that this information includes the accounts that the customer is using LastPass to store passwords for."
On what basis would you make that wager? Do you have information that was not released?
I've seen enough (Score:4, Informative)
I think at this point it's safe to presume that any information shared with LastPass has been compromised or will be compromised shortly. Part of that is because they're incompetent, but most of it is because there's no way for any operation to do what they've set out to do: the threat model is completely against them. What they've built is one-stop shopping for attackers, so it's worth much more time, money, attention, and risk than many other operations. Obviously attackers know this and have planned/executed accordingly.
The right thing to do -- which won't happen because almost nobody does the right thing -- is to admit failure, issue refunds, and shut down.
Re: I've seen enough (Score:2)
I was a fan of LastPass for many years, but boy, they *systematically* ate through my willingness to support them. The basic concept of cloud-based password safes is entirely sound, so data breaches don't really worry me, but their flawed partition between cleartext and encrypted data, the sheer number of incidents and vulnerability reports (including in their crown jewels, the client software) and above all their tendency to deny and withhold and trickle out details in an attempt to save face, make them a
Re: (Score:2)
But, umm, the actual password data is encrypted with a key that only the customers have access to.
And Now... (Score:2)
And now, here's Baghdad Bob to explain that LastPass was never hacked, ever. That hacking LastPass is a complete impossibility. That it's all lies from imperial western password companies.
Number 6! (Score:4, Informative)
There are roughly five -publicly- disclosed security incidents (how many not publicly disclosed?):
2011
2015 - one of the two of the worst
2016
2017
2022 - 2023 - the worst
Now you can add 2026 to the list
Re: (Score:2)
Re: (Score:2)
"This makes the 6th data breach they have had."
This makes the 6th data breach that they've detected and admitted to.
People are still using LastPass? (Score:2)
Fool me once ...
Who was using Last Pass? (Score:3)
The problem now seems to be that the company committing mass digital molestation was hacked, who should not have had anything stored, so what does it really say about Last Pass? They're admitting they did not store the data using any form of acceptable security, and they've already surrendered password vaults, so will people jump ship now?
Security and privacy claims are useless if you constantly demonstrate that your entire security understanding is putting the wallet inside the shoe when you're at the beach.
People still use this shit? (Score:2)
Centralized storage (Score:2)
All these forced centrally-stored passwordmanagers failing and falling like flies over and over again, but still forcing customers into their subscriptions and storing the most sensitive data centrally on their servers.
This insane trend needs to finally stop.
LastPass (Score:1)