[_aavaa_]

That statement is too squirrelly for me to trust if my passwords were stored with them.

“SOME of these security alerts” “were LIKELY triggered” “HAS BEEN solved” (Emphasis mine)

How can the issue be definitely solved if you aren’t sure that they were actually triggered in error, if they were in error then it’s only some of them.

[md_]

It's easy for me to imagine how you get here.

- Eng are still writing the postmortem

- Marketing want to put out a statement

- Eng know or suspect a bug exists that can trigger spurious notifications, but don't have sufficient logs to be able to reconstruct if that bug was in fact in play in production

- Legal advises not to say anything definitive that they can't stand behind later

I don't see any of that as particularly damning or malicious. "We aren't yet sure, but have a suspicion and are still investigating" can come out like the LastPass blog post when run through the PR filter.

[_aavaa_]

Be that as it may, which I have my doubts about since they are quite definitive about the problem being solved, I don't want a PR filter from the company that I would trust with my passwords.

What I want to know is have I been compromised or not, the PR saves face at further expense of users (if they truly have been compromised).

[tuwtuwtuwtuw]

> What I want to know is have I been compromised or not,

They have been extremely clear that they have not found any signs of compromise. Did you miss that?

Of course no company can technically guarantee that they have not being compromised. If you are looking for someone telling you at any point they are 100% confident no user accounts have been compromised, then you will pick a company lying to you.

[aflag]

They should be able to explain why so many people received the email though. Was there a fault in the notification system or not? Are they going to send messages to the individuals which received the notification in error?

I get that direct evidence of a leak is difficult. However, a sudden surge of master passwords being known by third parties in uncorrelated accounts is a very good evidence that something happened. If that's not what happened, then what happened exactly? Was it really a bug in the notification system? Do they have evidence that the password used in the blocked login attempts weren't really the actual master password?

There is a lot of things they can do to show they are on top of things.

[tragictrash]

combine that with lastpass' history of security mistakes, the people in on hn claiming that they didn't reuse the master password, and the press releases gas lighting their users, I'm not buying their story for a second.

[_aavaa_]

I did not miss that. But it's harder for me to read that as a technical statement and not more PR after the rest of the PR.

I also agree with you about the 100% confidence about not being compromised. Perhaps my previous statement was too black/white. I don't want PR or placating statements, I want a transparent status report without weasel words and which exhaustively covered the different cases (e.g. SOME of the messages were sent in error. what about the rest? Are the rest routine compromises that happen normally? Or was there a spike in compromised accounts?)

[ajb]

No, they say "As a result, we have adjusted our security alert systems and this issue has since been resolved."

They are claiming they know what the bug was.

[joenathanone]

They *need* to go into great detail if people are supposed to trust them with their digital life. That statement isn't nearly enough.

[foobiekr]

After all the problems with lastpass, who was even trusting them at this point?

[ajb]

My employer tried to move off them 2 years ago and didn't manage it.

The problem is the year subs. To avoid wasting money you need to do it at the end of a year, but you also need to get your users trained up before the switch. We hit a complication and ran out of time and so had to re-up.

[hsbauauvhabzb]

Surely the cost of the subs is trivial compared to the cost of training users etc?

[joenathanone]

I could see if you were a big company, trying to migrate a bunch of users and retrain them on a new password manager would be costly, there are probably admins out there looking for any reason not to make the move, but at this point, I think they have lost all credibility.

[ajb]

Yeah absolutely.

[mcguire]

Not necessarily. That could be read as them simply turning off the alerts (ideally, until they figure out and fix the bug).

[ajb]

Eurgh, I suppose it could mean that. Very misleading if so.

[shkkmo]

Then why not say:

"We have identified and fixed bugs that could result in incorrect masterpassword use notifications being sent but we have not yet been able to determine which if any of the recent wave of notifications were caused by those bugs. We are still investigating the issue".

Instead of communicating clearly around a serious security incident they are using mealy mouthed PR speak which does nothing to improve their image.

[md_]

Sure, I'm with you, but this is pretty par for the course on incident comms.

[GekkePrutser]

You don't take into account that support told some of the customers that there was indeed a login attempt with valid password. I'm that sense it does sound a bit like backtracking. Now it's supposed to have only been a reporting error.

[cortesoft]

That is the wording they have to use, right? They can't be certain that ALL the people who have seen these emails are caused by the buggy email notification code... I am sure some legitimate notifications were also sent out during the time, so how would they know if any of those were caused by something else?

[dwattttt]

It's not the wording they could use if they were sure that at least one alert was sent in error; then they wouldn't say it was likely, they'd say they know there were erroneous alerts. As it is, they're just speculating the alerts were wrong, which bodes very poorly.

[singlow]

I think they are sure they triggered some of the errors. However they may not be able to identify which ones were caused by their bug and which ones were legitimate attacks, which probably happen at some rate each day.

If you are a customer, and you received this message, you should definitely change your master password and probably rotate your stored passwords. You don't know if your email was real or not.

However, it explains why so many users were getting this message recently in a plausible way, that is not too hand-wavy except for their dodgy track record. Its not the level of transparency I would expect from Mozilla or even Reddit, but its par for the course.

You should probably migrate to another password store. I moved away a while ago for other trust reasons, but this particular incident on its own is not that concerning to me.

[contravariant]

I've definitely used that exact wording when ALL of the problems were DEFINITELY triggered by something but I still didn't fully understand how.