> What would you have the people who are using LastPass do, stop using it?
Yes. After their last major breach I exported all my data and deleted all my credentials and account with LastPass. Seeing the details of this breach, I'm super happy I did.
I meant the major breach before this one, I believe that was the one that gave attackers access to their dev environment, which they used to steal the developer credentials they used to make this attack.
I don't agree that was enough of a reason to drop them. An attacker getting access to your dev environment, even if you're one of the largest security focus endeavours, is pretty much an inevitability. Someone's gonna get access to one of your engineers macbooks, no matter what.
The thing that's bad, is that apparently their developers have access to (backups off) production data. That implies that their security infrastructure is not different from regular startups at all so all of their marketing is just bullshit. They didn't sacrifice developer productivity for security on this point, so they can't be trusted to have sacrificed anything for security at any point.
It's a solid point, you really need to rotate all the credentials to be safe. I did that for the important accounts and don't share passwords between accounts. I'm sure there are still a few accounts here amd there that might be at risk.l, especially since it was specifically the backups that were compromised.
Yes. After their last major breach I exported all my data and deleted all my credentials and account with LastPass. Seeing the details of this breach, I'm super happy I did.