So this blog seems to completely ignores LastPass statement from 2021-12-28:
> Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
That statement is too squirrelly for me to trust if my passwords were stored with them.
“SOME of these security alerts”
“were LIKELY triggered”
“HAS BEEN solved”
(Emphasis mine)
How can the issue be definitely solved if you aren’t sure that they were actually triggered in error, if they were in error then it’s only some of them.
- Eng know or suspect a bug exists that can trigger spurious notifications, but don't have sufficient logs to be able to reconstruct if that bug was in fact in play in production
- Legal advises not to say anything definitive that they can't stand behind later
I don't see any of that as particularly damning or malicious. "We aren't yet sure, but have a suspicion and are still investigating" can come out like the LastPass blog post when run through the PR filter.
Be that as it may, which I have my doubts about since they are quite definitive about the problem being solved, I don't want a PR filter from the company that I would trust with my passwords.
What I want to know is have I been compromised or not, the PR saves face at further expense of users (if they truly have been compromised).
> What I want to know is have I been compromised or not,
They have been extremely clear that they have not found any signs of compromise. Did you miss that?
Of course no company can technically guarantee that they have not being compromised. If you are looking for someone telling you at any point they are 100% confident no user accounts have been compromised, then you will pick a company lying to you.
They should be able to explain why so many people received the email though. Was there a fault in the notification system or not? Are they going to send messages to the individuals which received the notification in error?
I get that direct evidence of a leak is difficult. However, a sudden surge of master passwords being known by third parties in uncorrelated accounts is a very good evidence that something happened. If that's not what happened, then what happened exactly? Was it really a bug in the notification system? Do they have evidence that the password used in the blocked login attempts weren't really the actual master password?
There is a lot of things they can do to show they are on top of things.
combine that with lastpass' history of security mistakes, the people in on hn claiming that they didn't reuse the master password, and the press releases gas lighting their users, I'm not buying their story for a second.
I did not miss that. But it's harder for me to read that as a technical statement and not more PR after the rest of the PR.
I also agree with you about the 100% confidence about not being compromised. Perhaps my previous statement was too black/white. I don't want PR or placating statements, I want a transparent status report without weasel words and which exhaustively covered the different cases (e.g. SOME of the messages were sent in error. what about the rest? Are the rest routine compromises that happen normally? Or was there a spike in compromised accounts?)
My employer tried to move off them 2 years ago and didn't manage it.
The problem is the year subs. To avoid wasting money you need to do it at the end of a year, but you also need to get your users trained up before the switch. We hit a complication and ran out of time and so had to re-up.
I could see if you were a big company, trying to migrate a bunch of users and retrain them on a new password manager would be costly, there are probably admins out there looking for any reason not to make the move, but at this point, I think they have lost all credibility.
"We have identified and fixed bugs that could result in incorrect masterpassword use notifications being sent but we have not yet been able to determine which if any of the recent wave of notifications were caused by those bugs. We are still investigating the issue".
Instead of communicating clearly around a serious security incident they are using mealy mouthed PR speak which does nothing to improve their image.
You don't take into account that support told some of the customers that there was indeed a login attempt with valid password. I'm that sense it does sound a bit like backtracking. Now it's supposed to have only been a reporting error.
That is the wording they have to use, right? They can't be certain that ALL the people who have seen these emails are caused by the buggy email notification code... I am sure some legitimate notifications were also sent out during the time, so how would they know if any of those were caused by something else?
It's not the wording they could use if they were sure that at least one alert was sent in error; then they wouldn't say it was likely, they'd say they know there were erroneous alerts. As it is, they're just speculating the alerts were wrong, which bodes very poorly.
I think they are sure they triggered some of the errors. However they may not be able to identify which ones were caused by their bug and which ones were legitimate attacks, which probably happen at some rate each day.
If you are a customer, and you received this message, you should definitely change your master password and probably rotate your stored passwords. You don't know if your email was real or not.
However, it explains why so many users were getting this message recently in a plausible way, that is not too hand-wavy except for their dodgy track record. Its not the level of transparency I would expect from Mozilla or even Reddit, but its par for the course.
You should probably migrate to another password store. I moved away a while ago for other trust reasons, but this particular incident on its own is not that concerning to me.
One advantage of telling the truth is that you don't go to prison for fraud.
When evaluating this kind of conspiracy theory, it's important to consider the number of people who would have to remain silent for the conspiracy to survive, and to consider how much it would cost to keep that many people silent. In this case, it's at least a few dozen so I think it's fair to assume that such a lie would not survive very long.
Sure, I do contracting work for the military.
There are hundreds of millions of secrets kept every day with hundreds of thousands of people keeping their mouths shut.
Leaking is exceedingly rare.
You have not provided any evidence or examples, just a “trust me”, which is essentially worthless. Also, there is a difference between a secret and a conspiracy. Secrets can survive for a long time, whereas history suggests that conspiracies rarely, if ever, succeed long term.
Well, you know that the military has a lot of secret stuff you know nothing about right? Let’s use Area 51 as an example.
Leaks like Snowden or Manning are a drop in the bucket compared to the total amount of secrets that were not leaked.
As far as examples of successfully kept secrets, I can’t give those, because I’m in on it.
All a conspiracy is, is a group of people keeping a secret.
As far as conspiracies not being successful long term, history tells us no such thing. Conspiracies with tons of people are successfully kept every single day, only to be discovered decades later when something is declassified for example.
You can never prove if a conspiracy to keep a secret is not successful if you never knew it existed.
Oh absolutely.
My point was strictly the assumption that many people can’t keep secrets.
Depending on ideology, reprisals, or personal ethics (good and bad), secrets can be kept by a startlingly large group of people.
I’ve seen estimates as high as 10% of the population of east Germany were spying on their neighbors.
I agree. Humans like sharing things, even if they shouldn't. We're bad at keeping secrets. I was just making the point that your claim of leaks in the military isn't necessarily comparable to a leak about a company. You do have a point about the large numbers of service members - that would raise the chances of something happening.
They are indeed different. But if they were compromised, it doesn't mean that all employees there know. It would probably be a handful of engineers only. Maybe one day one of them will make a blog post with all the details, however, there are more incentives to keep their mouths shut than otherwise. If they come publicly about this, they will get a lot of unwanted exposure (which most people don't like), they will certainly lose their jobs, they will have to talk about that in every job interview they do, they will likely get sued due to NDA breaches, etc which will actually prevent them from being hireable in many places (specially security firms). So, it's much easier for these people, if they morally object this, to just quit, find another job and move on. They'll likely tell their friends and family not to use lastpass, but that will only travel so far.
D-Day and the operations around it? Various price fixing cartels that were eventually prosecuted?
Naming conspiracies that have never leaked is kind of hard, since we wouldn't know about them. So you have to look for examples of things that were talked about after they stopped being relevant, or that were uncovered without anyone blabbing.
JFK, 9/11, and Epstein spring to mind for major conspiracies. I think anyone with a head on can see the government bodies tasked to investigate those affairs were rife with conflicted interests, duplicitous individuals, and some intent that they should be as narrow investigations as possible. Those secrets have been kept or at the very least the limited hangout worked so well that people think only nuts question them.
> In this case, it's at least a few dozen so I think it's fair to assume that such a lie would not survive very long.
This is a very unlikely expectation. Employees are under NDA so nobody will talk publically about it unless one of them feel so strongly about it to sacrifice their career (they'd certainly get fired, and being sued for breaching the NDA isn't going to make finding a new job easier).
Employees at all companies keep quiet about bugs like these all the time, that's the most common outcome.
Would it actually be illegal to cover up/lie about? I assume the company is US based, there is certainly breach regulations in Aus (with a 12 month notification window). I guess if it’s publicly traded then it would be a breach of law, but what about if it was privately owned?
Tech companies are not held liable by the justice department or any other federal org. It's against their interests because they now depend on these services to operate. Which is why you will never see Amazon, Google, or Microsoft sued in any damaging capacity for the obvious fraud they commit. That being fake products, reviews, promoting scams, antitrust, etc.
The consequences of “Mea Culpa, please reset your master password” seem much less existential than denying and eventually being revealed as untrustworthy.
I haven’t seen it when I wrote the article. However, the formulation is vague enough that it could mean anything. Maybe the alerts were sent out by mistake which would be good news. But they don’t quite say that. Their statement might also mean that they rather disabled legitimate alerts so that people don’t get concerned. So they might have “cured” the symptoms without addressing the actual issue.
It certainly isn’t reassuring that they keep talking about credential stuffing, even though it’s quite unlikely to be the culprit here.
"likely" "some", weasel words. Corporate marketing speak for we have no idea what happened so dream up some scenario that sounds plausible and do a press release.
The lack of that specific information doesn't make it vague in my view.
If I tell to that the world appears to be shaped as a globe then that statement isn't vague just because I don't explain _why_ it appears shaped as a globe.
This isn't some abstract argument about your view of the world. This is a blogpost about a potentially very serious system fault. Customers want to know what the root cause of the fault was, so that they can evaluate whether to continue to do business with the company or not. It's very cut and dry.
It's vague because we don't know why you consider it to appear to be a globe. Did you fly in a rocket and saw it or do you just think that round is the perfect shape and God wouldn't create the world in any other way?
I'm curious how that balances with everyone sharing random IP's from attempted account access. Where did those addresses come from? Why are users seeing them? Did the bug they're talking about cause bad data to be pushed to users dashboards?
Several people have reported that if you tried to log on from a new IP with incorrect master password, then you got an email saying that someone tried to log on using your master password even though that was not the case.
I was referring to the IP's being shown to users.[1]
So then; Is the bug also responsible for pushing bad data to the users dashboards? If this is really a bug, it's a complicated one. I'd be curious if those IP's are still being shown on the users end.
I don't have a link handy, nor currently familiar with LP's site or extensions:
The part of the site that shows the recent connections to your account, with IP's. People were sharing those IP's and thoughts in the linked thread.
That data came from somewhere; if it's related to this bug then this bug is also pushing incorrect data into other parts of the service. It's also entirely possible that it wasn't a bug, and instead a security issue, and that data is correct, and they're bending words to play it off as just a bug.
I can understand a bug triggering a warning system, but when it's also presenting related data in the account security logs; it's either a complicated bug or there's more to the story.
> it's either a complicated bug or there's more to the story.
I showed you pseudo-code which could trigger this issue. It was trivial code which could cause it in practice. Yet you claim it must be complicated or more to the story. I have no idea why you feel that classifying a request in a certain way must be caused by a complicated bug - very strange.
I think you're into FUD-mode now because even after being shown wrong, you continue to spread misinformation.
Also, you are referring to LP functionality which to my knowledge doesn't even exist, and when asked you say you don't know the software being discussed.
Your example would've caused a much larger response, no? By most accounts, it didn't trigger for most users, so a simple flub like that should've triggered on more accounts.
I'm viewing this through the lens of multiple days of differing social groups poking at this, and the crowdsourced information that's yielded.
> ...shown wrong, you continue to spread misinformation.
You haven't shown anything wrong: neither of us know what actually happened. nor am I spreading misinformation, nor making statements as to what happened; I'm questioning it. Is there some reason you're so accusatory?
> Also, you are referring to LP functionality which to my knowledge doesn't even exist, and when asked you say you don't know the software being discussed.
[1]. I haven't touched LP in, ehhh, 10ish years, and it was a feature even back then.
I thought that was obvious given the context. You are spreading BS that this must be caused by some complex bug yet having nothing to back it up except for anecdotes. You have already said you don't know the feature set and you haven't used it in 10 years, yet you are making such a claim.
Why wouldn't I accuse you of spreading misinformation if you make claims without knowing what you're talking about?
> Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
Source: https://blog.lastpass.com/2021/12/unusual-attempted-login-ac...
Source2: https://twitter.com/troyhunt/status/1476296988001849345?s=21