from Hacker News

LastPass users: Your info and vault data is now in hackers’ hands

by joelkesler on 12/22/22, 10:59 PM with 19 comments

• by ryanjshaw on 12/23/22, 5:55 AM

  There ought to be some kind of legal sanction against companies that try to hide the seriousness of data breaches.

  I read the customer update, and the severity of this breach is hidden deep in the statement and skimmed over.

  Basically: LastPass just shared which sites you have logins for with the attacker. This could be sold or released to the entire world. They claim the usernames are encrypted fields but often the usernames can also be in the URLs saved along with the site.

• by teamspirit on 12/23/22, 5:00 AM

  This is only tangentially related but I just noticed that lastpass reactivated an account I closed 3 years ago and began billing me two years ago. I just caught the second charge and when I confronted them, they said they can only refund within 30 days!

  So check your statements and see. I'm curious to know how many more people this has happened to.

• by joelkesler on 12/22/22, 11:06 PM

  This makes me wish 1Password still allowed self-hosted and self-synced password vaults.

• by jart on 12/23/22, 1:12 AM

  This title is so manipulative and misleading. The attacker stole a mountain of AES encrypted blobs, so unless this threat actor has broken AES already, it'll probably be decades before they'll be able to peer into your secrets.