[syvanen]

So this blog seems to completely ignores LastPass statement from 2021-12-28:

> Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.

Source: https://blog.lastpass.com/2021/12/unusual-attempted-login-ac...

Source2: https://twitter.com/troyhunt/status/1476296988001849345?s=21

[_aavaa_]

That statement is too squirrelly for me to trust if my passwords were stored with them.

“SOME of these security alerts” “were LIKELY triggered” “HAS BEEN solved” (Emphasis mine)

How can the issue be definitely solved if you aren’t sure that they were actually triggered in error, if they were in error then it’s only some of them.

[md_]

It's easy for me to imagine how you get here.

- Eng are still writing the postmortem

- Marketing want to put out a statement

- Eng know or suspect a bug exists that can trigger spurious notifications, but don't have sufficient logs to be able to reconstruct if that bug was in fact in play in production

- Legal advises not to say anything definitive that they can't stand behind later

I don't see any of that as particularly damning or malicious. "We aren't yet sure, but have a suspicion and are still investigating" can come out like the LastPass blog post when run through the PR filter.

[_aavaa_]

Be that as it may, which I have my doubts about since they are quite definitive about the problem being solved, I don't want a PR filter from the company that I would trust with my passwords.

What I want to know is have I been compromised or not, the PR saves face at further expense of users (if they truly have been compromised).

[tuwtuwtuwtuw]

> What I want to know is have I been compromised or not,

They have been extremely clear that they have not found any signs of compromise. Did you miss that?

Of course no company can technically guarantee that they have not being compromised. If you are looking for someone telling you at any point they are 100% confident no user accounts have been compromised, then you will pick a company lying to you.

[aflag]

They should be able to explain why so many people received the email though. Was there a fault in the notification system or not? Are they going to send messages to the individuals which received the notification in error?

I get that direct evidence of a leak is difficult. However, a sudden surge of master passwords being known by third parties in uncorrelated accounts is a very good evidence that something happened. If that's not what happened, then what happened exactly? Was it really a bug in the notification system? Do they have evidence that the password used in the blocked login attempts weren't really the actual master password?

There is a lot of things they can do to show they are on top of things.

[tragictrash]

combine that with lastpass' history of security mistakes, the people in on hn claiming that they didn't reuse the master password, and the press releases gas lighting their users, I'm not buying their story for a second.

[_aavaa_]

I did not miss that. But it's harder for me to read that as a technical statement and not more PR after the rest of the PR.

I also agree with you about the 100% confidence about not being compromised. Perhaps my previous statement was too black/white. I don't want PR or placating statements, I want a transparent status report without weasel words and which exhaustively covered the different cases (e.g. SOME of the messages were sent in error. what about the rest? Are the rest routine compromises that happen normally? Or was there a spike in compromised accounts?)

[ajb]

No, they say "As a result, we have adjusted our security alert systems and this issue has since been resolved."

They are claiming they know what the bug was.

[joenathanone]

They *need* to go into great detail if people are supposed to trust them with their digital life. That statement isn't nearly enough.

[foobiekr]

After all the problems with lastpass, who was even trusting them at this point?

[ajb]

My employer tried to move off them 2 years ago and didn't manage it.

The problem is the year subs. To avoid wasting money you need to do it at the end of a year, but you also need to get your users trained up before the switch. We hit a complication and ran out of time and so had to re-up.

[joenathanone]

I could see if you were a big company, trying to migrate a bunch of users and retrain them on a new password manager would be costly, there are probably admins out there looking for any reason not to make the move, but at this point, I think they have lost all credibility.

[ajb]

Yeah absolutely.

[mcguire]

Not necessarily. That could be read as them simply turning off the alerts (ideally, until they figure out and fix the bug).

[ajb]

Eurgh, I suppose it could mean that. Very misleading if so.

[shkkmo]

Then why not say:

"We have identified and fixed bugs that could result in incorrect masterpassword use notifications being sent but we have not yet been able to determine which if any of the recent wave of notifications were caused by those bugs. We are still investigating the issue".

Instead of communicating clearly around a serious security incident they are using mealy mouthed PR speak which does nothing to improve their image.

[md_]

Sure, I'm with you, but this is pretty par for the course on incident comms.

[GekkePrutser]

You don't take into account that support told some of the customers that there was indeed a login attempt with valid password. I'm that sense it does sound a bit like backtracking. Now it's supposed to have only been a reporting error.

[cortesoft]

That is the wording they have to use, right? They can't be certain that ALL the people who have seen these emails are caused by the buggy email notification code... I am sure some legitimate notifications were also sent out during the time, so how would they know if any of those were caused by something else?

[dwattttt]

It's not the wording they could use if they were sure that at least one alert was sent in error; then they wouldn't say it was likely, they'd say they know there were erroneous alerts. As it is, they're just speculating the alerts were wrong, which bodes very poorly.

[singlow]

I think they are sure they triggered some of the errors. However they may not be able to identify which ones were caused by their bug and which ones were legitimate attacks, which probably happen at some rate each day.

If you are a customer, and you received this message, you should definitely change your master password and probably rotate your stored passwords. You don't know if your email was real or not.

However, it explains why so many users were getting this message recently in a plausible way, that is not too hand-wavy except for their dodgy track record. Its not the level of transparency I would expect from Mozilla or even Reddit, but its par for the course.

You should probably migrate to another password store. I moved away a while ago for other trust reasons, but this particular incident on its own is not that concerning to me.

[contravariant]

I've definitely used that exact wording when ALL of the problems were DEFINITELY triggered by something but I still didn't fully understand how.

[willis936]

Which is exactly what you say when facing an existential crisis. If you have a master password leak you either:

  1. lie about it and the truth never comes to light
  2. lie about it and get caught and the consequences are the same as if you came clean

If LP suffered a master password leak then there is no benefit to telling the truth.

[mgraczyk]

One advantage of telling the truth is that you don't go to prison for fraud.

When evaluating this kind of conspiracy theory, it's important to consider the number of people who would have to remain silent for the conspiracy to survive, and to consider how much it would cost to keep that many people silent. In this case, it's at least a few dozen so I think it's fair to assume that such a lie would not survive very long.

[tibbetts]

A few dozen, most of whom took a job at a security firm and one might imagine are the type reluctant to maintain a lie like this.

[imwillofficial]

This is broken thinking built on faulty assumptions. There are countless examples of massive conspiracies and secrets never leaking.

[nmca]

Can you provide some? I have previously only heard "santa".

[imwillofficial]

Sure, I do contracting work for the military. There are hundreds of millions of secrets kept every day with hundreds of thousands of people keeping their mouths shut. Leaking is exceedingly rare.

[atty]

You have not provided any evidence or examples, just a “trust me”, which is essentially worthless. Also, there is a difference between a secret and a conspiracy. Secrets can survive for a long time, whereas history suggests that conspiracies rarely, if ever, succeed long term.

[colejohnson66]

The military has a much bigger threat of prison for yourself than a company that the investors sue

[wongarsu]

D-Day and the operations around it? Various price fixing cartels that were eventually prosecuted?

Naming conspiracies that have never leaked is kind of hard, since we wouldn't know about them. So you have to look for examples of things that were talked about after they stopped being relevant, or that were uncovered without anyone blabbing.

[tragictrash]

enron maydolf haliburton its literally everywhere you look

[mgraczyk]

Those all broke, that's how you know about them

[noah_buddy]

JFK, 9/11, and Epstein spring to mind for major conspiracies. I think anyone with a head on can see the government bodies tasked to investigate those affairs were rife with conflicted interests, duplicitous individuals, and some intent that they should be as narrow investigations as possible. Those secrets have been kept or at the very least the limited hangout worked so well that people think only nuts question them.

[op00to]

What about “JFK”? What’s special about the fraction 9/11? Are we talking Epstein from welcome back kotter?

You sound paranoid.

[dreae]

Then how do we have the examples?

[imwillofficial]

I’m not sure I understand your question. Can you state it in a different way?

[paulcole]

you’d need a microscope to see the overlap in the vein diagram of people who lie at work and the people who go to prison for lying at work.

[jjav]

> In this case, it's at least a few dozen so I think it's fair to assume that such a lie would not survive very long.

This is a very unlikely expectation. Employees are under NDA so nobody will talk publically about it unless one of them feel so strongly about it to sacrifice their career (they'd certainly get fired, and being sued for breaching the NDA isn't going to make finding a new job easier).

Employees at all companies keep quiet about bugs like these all the time, that's the most common outcome.

[nix9000]

>being sued for breaching the NDA isn't going to make finding a new job easier

NDAs are unenforceable against whistleblowers who report illegal activity.

[hsbauauvhabzb]

Would it actually be illegal to cover up/lie about? I assume the company is US based, there is certainly breach regulations in Aus (with a 12 month notification window). I guess if it’s publicly traded then it would be a breach of law, but what about if it was privately owned?

[fulafel]

Are there examples of jail time for fraud happening for beingdishonest about sw product flaws?

[devwastaken]

Tech companies are not held liable by the justice department or any other federal org. It's against their interests because they now depend on these services to operate. Which is why you will never see Amazon, Google, or Microsoft sued in any damaging capacity for the obvious fraud they commit. That being fake products, reviews, promoting scams, antitrust, etc.

[jazzyjackson]

The consequences of “Mea Culpa, please reset your master password” seem much less existential than denying and eventually being revealed as untrustworthy.

[jonny_eh]

> eventually being revealed as untrustworthy

Replace "eventually" with "maybe".

[imwillofficial]

Except earning trust with the customer, in a line of business that is built entirely on the customer trusting you to manage things properly.

[palant]

I haven’t seen it when I wrote the article. However, the formulation is vague enough that it could mean anything. Maybe the alerts were sent out by mistake which would be good news. But they don’t quite say that. Their statement might also mean that they rather disabled legitimate alerts so that people don’t get concerned. So they might have “cured” the symptoms without addressing the actual issue.

It certainly isn’t reassuring that they keep talking about credential stuffing, even though it’s quite unlikely to be the culprit here.

[tuwtuwtuwtuw]

What's the difference between "triggered in error" and "sent out by mistake" then? In this context they seem like the same..

[palant]

The difference is the word “likely” which means as much as “we have no idea.”

[abarringer]

"likely" "some", weasel words. Corporate marketing speak for we have no idea what happened so dream up some scenario that sounds plausible and do a press release.

[dehrmann]

Some of the emails were probably real, and they just happened to have been when there was supposedly a issue. That can't part be definitive.

[Ansil849]

LastPass's statement is extremely vague. _Why_ were these alerts triggered in error? What error triggered them?

[tuwtuwtuwtuw]

The lack of that specific information doesn't make it vague in my view.

If I tell to that the world appears to be shaped as a globe then that statement isn't vague just because I don't explain _why_ it appears shaped as a globe.

[Ansil849]

This isn't some abstract argument about your view of the world. This is a blogpost about a potentially very serious system fault. Customers want to know what the root cause of the fault was, so that they can evaluate whether to continue to do business with the company or not. It's very cut and dry.

[aflag]

It's vague because we don't know why you consider it to appear to be a globe. Did you fly in a rocket and saw it or do you just think that round is the perfect shape and God wouldn't create the world in any other way?

[tuwtuwtuwtuw]

That's not what the word vague mean though. If you make up your own definitions of words then it's not worth discussing with you.

[ohyeshedid]

I'm curious how that balances with everyone sharing random IP's from attempted account access. Where did those addresses come from? Why are users seeing them? Did the bug they're talking about cause bad data to be pushed to users dashboards?

[tuwtuwtuwtuw]

Several people have reported that if you tried to log on from a new IP with incorrect master password, then you got an email saying that someone tried to log on using your master password even though that was not the case.

[ohyeshedid]

I was referring to the IP's being shown to users.[1]

So then; Is the bug also responsible for pushing bad data to the users dashboards? If this is really a bug, it's a complicated one. I'd be curious if those IP's are still being shown on the users end.

[1]: https://news.ycombinator.com/item?id=29705957

[tuwtuwtuwtuw]

What "dashboards" are you referring to? I have not seen any dashboards in LastPass.

Why would it need to be a complicated bug? It could be as simple as:

If UnkownIP OR InvalidMasterPassword Then LogAndSendNotication

Instead of:

If UnkownIP AND InvalidMasterPassword Then LogAndSendNotication

Please tell me why it needs to be a complicated bug.

[ohyeshedid]

I don't have a link handy, nor currently familiar with LP's site or extensions:

The part of the site that shows the recent connections to your account, with IP's. People were sharing those IP's and thoughts in the linked thread.

That data came from somewhere; if it's related to this bug then this bug is also pushing incorrect data into other parts of the service. It's also entirely possible that it wasn't a bug, and instead a security issue, and that data is correct, and they're bending words to play it off as just a bug.

I can understand a bug triggering a warning system, but when it's also presenting related data in the account security logs; it's either a complicated bug or there's more to the story.

[tuwtuwtuwtuw]

> it's either a complicated bug or there's more to the story.

I showed you pseudo-code which could trigger this issue. It was trivial code which could cause it in practice. Yet you claim it must be complicated or more to the story. I have no idea why you feel that classifying a request in a certain way must be caused by a complicated bug - very strange.

I think you're into FUD-mode now because even after being shown wrong, you continue to spread misinformation.

Also, you are referring to LP functionality which to my knowledge doesn't even exist, and when asked you say you don't know the software being discussed.

Very strange behavior by you.

[softwarebeware]

Well...the word "likely" is a weasel word and not very comforting.