Hacker News new | ask | show | jobs
by _aavaa_ 1637 days ago
Be that as it may, which I have my doubts about since they are quite definitive about the problem being solved, I don't want a PR filter from the company that I would trust with my passwords.

What I want to know is have I been compromised or not, the PR saves face at further expense of users (if they truly have been compromised).
1 comments
tuwtuwtuwtuw 1637 days ago
> What I want to know is have I been compromised or not,

They have been extremely clear that they have not found any signs of compromise. Did you miss that?

Of course no company can technically guarantee that they have not being compromised. If you are looking for someone telling you at any point they are 100% confident no user accounts have been compromised, then you will pick a company lying to you.

link
aflag 1637 days ago
They should be able to explain why so many people received the email though. Was there a fault in the notification system or not? Are they going to send messages to the individuals which received the notification in error?

I get that direct evidence of a leak is difficult. However, a sudden surge of master passwords being known by third parties in uncorrelated accounts is a very good evidence that something happened. If that's not what happened, then what happened exactly? Was it really a bug in the notification system? Do they have evidence that the password used in the blocked login attempts weren't really the actual master password?

There is a lot of things they can do to show they are on top of things.

link
tragictrash 1637 days ago
combine that with lastpass' history of security mistakes, the people in on hn claiming that they didn't reuse the master password, and the press releases gas lighting their users, I'm not buying their story for a second.
link
_aavaa_ 1637 days ago
I did not miss that. But it's harder for me to read that as a technical statement and not more PR after the rest of the PR.

I also agree with you about the 100% confidence about not being compromised. Perhaps my previous statement was too black/white. I don't want PR or placating statements, I want a transparent status report without weasel words and which exhaustively covered the different cases (e.g. SOME of the messages were sent in error. what about the rest? Are the rest routine compromises that happen normally? Or was there a spike in compromised accounts?)

link