[selykg]

At this point you should assume you're breached. If they aren't going to give you the details, you should assume the worst.

I have asked all of my team to change their passwords. We use LastPass via our parent company and will be switching off LastPass soon for our team. LastPass never would've been my choice, it was made before I joined.

But assume you're breached, change it all now, and ideally you're not going to stay with LastPass. Their communication sucks, which is just icing on the cake in this entire situation.

[deadfece]

Export from LP and start migrating, starting with changing common social IdPs like Google, Facebook, Twitter, Github, Apple, Microsoft/Live/Xbox/Outlook. Update the password of remote access programs like Parsec, and your cell phone provider's password. Then go through your TOTP generator and start changing everything in your TOTP generator (especially since you might be using LP Authenticator - if you are, then move to a different authenticator at the same time). Next: banking, your work payroll, investment accounts, Tax/IRS, shopping. From here one out start going through the list by the amount of money involved. If you doubt that then go through them ordered by the amount of data involved.

If you get lost and stuff seems too hard, if your replacement product lets you sort by age then just sort by oldest and hit 5 today. Hit 5 more tomorrow. Keep chipping at it. At this point you might as well change one every single day.

[azinman2]

I’ve always felt like there’s a startup in there that can reliably change all your passwords for you. Probably something like one time $299, which sounds expensive, until you realize the pain of doing this.

[selykg]

Ironically... isn't that something LastPass does for you?

https://www.pcworld.com/article/430756/nifty-new-lastpass-da...

This is an old article, no idea if the feature still exists or not.

[ipaddr]

More like does to you and forces you to do it yourself

[ryandrake]

Depending on how it was implemented, that could just increase the attack surface. Assuming it's a cloud service, now we have another company that has all your passwords, that can be breached. A better way would be desktop software that runs on your local machine and logs in to each web site by itself and changes all your passwords, without using any remote compute or storage, outputting a local file with all your new passwords (don't make the same mistake again using a cloud password manager).

[azinman2]

I imagined this was local. I think it would be very difficult to trust it otherwise.

[sorokod]

Attack surface will increase regardless of implementation. It is another point that can be attacked, one that did not exist before.

[deadfece]

I love web scraping, maybe I can update this prior idea. With the high proliferation of botting, a lot of sites are now resistant to this type of scripting, but at this low volume of interaction, it may be doable with some effort like Undetected Chromedriver.

https://drewdevault.com/2017/05/11/Rotating-passwords.html

https://github.com/tsudoko/pass-rotate

[artificial]

Vault rotation++. I was bitten by this switching authenticators when one didn't have an export at the time. It was such a massive pain to login and remove, add, setup and annotate, store secrets and repeat.

[paradox242]

This was also the final straw for our organization, we have initiated a company-wide reset of any credentials stored in in their service (thanks, LastPass) and are definitely not going to be renewing. The frequency of recent breaches, and especially the opaque manner in which they have been handled have destroyed any credibility they may have once had with regard to being trustworthy enough to store important secrets.

[panarky]

> definitely not going to be renewing

That reads like you're resetting credentials and then putting the new credentials back in LastPass, and then possibly maybe moving away from LastPass at some point in the future.

Given how little LastPass has disclosed, and the negligence we already know about, we should not only assume we're breached, but we should also assume LastPass is still storing critical data in cleartext, they don't have a "zero knowledge architecture", and their systems are still vulnerable to intrusion and exfiltration.

[andrewmcdonough]

That's good advice. I already made that assumption when the leak was first publicised and changed all of my important passwords the same day. I'm just trying to decide whether it's worth changing the hundreds of other low value passwords that were once stored in LastPass. I migrated to another service a few years ago, but I'm concerned the attackers have got hold of older backups, containing sensitive data that I had deleted, but with LastPass's poor communication, there is no way of knowing.

[porter]

What would your choice be?