There ought to be some kind of legal sanction against companies that try to hide the seriousness of data breaches.
I read the customer update, and the severity of this breach is hidden deep in the statement and skimmed over.
Basically: LastPass just shared which sites you have logins for with the attacker. This could be sold or released to the entire world. They claim the usernames are encrypted fields but often the usernames can also be in the URLs saved along with the site.
This is only tangentially related but I just noticed that lastpass reactivated an account I closed 3 years ago and began billing me two years ago. I just caught the second charge and when I confronted them, they said they can only refund within 30 days!
So check your statements and see. I'm curious to know how many more people this has happened to.
I believe Keypass uses local password vaults. I don't use it personally, but I have heard many people use a combination of KeePass and Syncthing to sync their passwords across multiple devices.
Setting up a reverse proxy + TLS is not that hard. Buying a domain + paying the 10€ per year license (If you go with the official server rather than vaultwarden) is still cheaper than paying for Lastpass / 1Password / Dashlane for the same time. As long as you are willing to maintain it that's pretty reasonable.
The only thing that makes me mad in bitwarden's official client is that you STILL can't remap your keys. I still have the old habbit of Ctrl+L from Keeweb to go to the search bar. On Bitwarden it locks your vault...
This title is so manipulative and misleading. The attacker stole a mountain of AES encrypted blobs, so unless this threat actor has broken AES already, it'll probably be decades before they'll be able to peer into your secrets.
Incorrect. It turns out your "vault" is comprised of unencrypted and encrypted fields. Unencrypted fields include URLs. If the attacker publishes this data, or sells it to somebody who does, this will be Ashley Madison x100.
It looks like the only relevant data that was unencrypted are the URLs [0]. I'm guessing that was some sort of design decision they made for the browser extension to be able to see if you had a password for that site.
If anything, apart from leaking the domain, which could still be a privacy issue, they should have at least sanitized the URLs to remove usernames or tokens if they were going to automatically save those URLs to the vault. I can guess that not doing so allowed their auto-login function to work on some websites by saving the login URL endpoint, but all I'd really want is the vault to keep the sanitized domain.
I used LassPass up until a few years ago. I've received three separate password reset emails this week for accounts I seldom use and haven't visited in months.
Someone is out there using whatever data or metadata was unencrypted.
I read the customer update, and the severity of this breach is hidden deep in the statement and skimmed over.
Basically: LastPass just shared which sites you have logins for with the attacker. This could be sold or released to the entire world. They claim the usernames are encrypted fields but often the usernames can also be in the URLs saved along with the site.