[md_]

It's easy for me to imagine how you get here.

- Eng are still writing the postmortem

- Marketing want to put out a statement

- Eng know or suspect a bug exists that can trigger spurious notifications, but don't have sufficient logs to be able to reconstruct if that bug was in fact in play in production

- Legal advises not to say anything definitive that they can't stand behind later

I don't see any of that as particularly damning or malicious. "We aren't yet sure, but have a suspicion and are still investigating" can come out like the LastPass blog post when run through the PR filter.

[_aavaa_]

Be that as it may, which I have my doubts about since they are quite definitive about the problem being solved, I don't want a PR filter from the company that I would trust with my passwords.

What I want to know is have I been compromised or not, the PR saves face at further expense of users (if they truly have been compromised).

[tuwtuwtuwtuw]

> What I want to know is have I been compromised or not,

They have been extremely clear that they have not found any signs of compromise. Did you miss that?

Of course no company can technically guarantee that they have not being compromised. If you are looking for someone telling you at any point they are 100% confident no user accounts have been compromised, then you will pick a company lying to you.

[aflag]

They should be able to explain why so many people received the email though. Was there a fault in the notification system or not? Are they going to send messages to the individuals which received the notification in error?

I get that direct evidence of a leak is difficult. However, a sudden surge of master passwords being known by third parties in uncorrelated accounts is a very good evidence that something happened. If that's not what happened, then what happened exactly? Was it really a bug in the notification system? Do they have evidence that the password used in the blocked login attempts weren't really the actual master password?

There is a lot of things they can do to show they are on top of things.

[tragictrash]

combine that with lastpass' history of security mistakes, the people in on hn claiming that they didn't reuse the master password, and the press releases gas lighting their users, I'm not buying their story for a second.

[_aavaa_]

I did not miss that. But it's harder for me to read that as a technical statement and not more PR after the rest of the PR.

I also agree with you about the 100% confidence about not being compromised. Perhaps my previous statement was too black/white. I don't want PR or placating statements, I want a transparent status report without weasel words and which exhaustively covered the different cases (e.g. SOME of the messages were sent in error. what about the rest? Are the rest routine compromises that happen normally? Or was there a spike in compromised accounts?)

[ajb]

No, they say "As a result, we have adjusted our security alert systems and this issue has since been resolved."

They are claiming they know what the bug was.

[joenathanone]

They *need* to go into great detail if people are supposed to trust them with their digital life. That statement isn't nearly enough.

[foobiekr]

After all the problems with lastpass, who was even trusting them at this point?

[ajb]

My employer tried to move off them 2 years ago and didn't manage it.

The problem is the year subs. To avoid wasting money you need to do it at the end of a year, but you also need to get your users trained up before the switch. We hit a complication and ran out of time and so had to re-up.

[hsbauauvhabzb]

Surely the cost of the subs is trivial compared to the cost of training users etc?

[joenathanone]

I could see if you were a big company, trying to migrate a bunch of users and retrain them on a new password manager would be costly, there are probably admins out there looking for any reason not to make the move, but at this point, I think they have lost all credibility.

[ajb]

Yeah absolutely.

[mcguire]

Not necessarily. That could be read as them simply turning off the alerts (ideally, until they figure out and fix the bug).

[ajb]

Eurgh, I suppose it could mean that. Very misleading if so.

[shkkmo]

Then why not say:

"We have identified and fixed bugs that could result in incorrect masterpassword use notifications being sent but we have not yet been able to determine which if any of the recent wave of notifications were caused by those bugs. We are still investigating the issue".

Instead of communicating clearly around a serious security incident they are using mealy mouthed PR speak which does nothing to improve their image.

[md_]

Sure, I'm with you, but this is pretty par for the course on incident comms.

[GekkePrutser]

You don't take into account that support told some of the customers that there was indeed a login attempt with valid password. I'm that sense it does sound a bit like backtracking. Now it's supposed to have only been a reporting error.