50 comments

[ 0.23 ms ] story [ 57.7 ms ] thread
Using a password manager has 2 main tradeoffs and mistakes:

1- Tradeoff individual account risk, for systemic risk. You may argue password managers are safe, but few would argue that the risk model reduces the risk of individual password leaks more than the risk of all your passwords leaking. It's a tradeoff.

2- Cat and mouse security: There's a class of security decisions that work because they are new and different. First the weakness was that passwords were short, then you make passwords long but unmemorable, so people rely on some other mechanisms to authenticate, like a file on their computer, a drive, a fingerprint, facial recog, which may in turn be protected by a second factor password.

At first the new security model will not be stressed, but as more users migrate from one security model to the next one, that's when you are able to compare the security of both technologies, it starts being a juicy enough target that it becomes attacked.

So we are at the point where password managers are used enough that they start becoming worthwhile targets of attack (to overcome the difficulty of vulnerating them).

Also worth noting that these attacks are more winner-takes-all. In the sense that rather than seeing one account hacked every couple of hours, you will see them all hacked at once, because you introduced a vendor in the password supply chain AND because the vendor centralizes all of the passwords. So target that one vendor and from a single attack you get all the spoils. So when comparing the security of the olden method and the new, just 1 incident is enough to undo all of the reputational gains it has made over the years.

So... you business plan is to secure peoples personal data by handing some of that data to a third party. Got it.
How does anyone seriously trust LastPass anymore? Years ago, I was working for a company handling bank data. They were using LP immediately following a previous LP security incident and had no plans to migrate away.
I'm sure this is worse than using lastpass in some way

but for the past couple years I've just generated and forgotten 90% of my passwords. the final 10% I keep in a password manager. But if the service isn't really that important I just use the 'forgot my password' to change and generate a new password every time I need to login

>an incident that occurred at Klue (klue.com), a third-party market intelligence platform

Well, I hope Klue got them more customers than they are losing due to this.

Lots more companies affected. Some more listed below:

>"Klue has not said how many of its hundreds of customers are affected. Several companies have come forward to confirm they had data stolen during the attack, including Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium."

>Cybercrime group Icarus took credit for the breach, saying on its leak site that it will publish the stolen data on Monday if the company does not pay the hackers’ ransom."

https://techcrunch.com/2026/06/22/klue-hack-results-in-data-...

Sitting here with my KeepassX and being happy, again.
This isn't great but it's not that big of a deal either. A lot of companies got bit by the Klue breach but it's not like your vaults are being accessed.
I switched to keepass a decade ago (maybe) and never looked back
any company that stuck around (or began using) lastpass after vaults were leaked probably does not care about this one at all, considering its just CRM data.

i can sympathize a little bit with companies that stick with lastpass. when i had to switch an org from lastpass to 1password, it was a massive undertaking and incredibly annoying. however, i have no sympathy for anyone who has chosen lastpass after 2022.

Lol. Again.

Private company third party password managers are bad. Across the board. They're a bad idea.

Deeply localized actual best practices can help solve this. Private companies can also help, but only if it isn't in the form of "you can't have this unless you pay for it." The point is, it's like fighting fires, you can't isolate it.

It's a complete dead-end and the sooner the industry realizes this the better.

Any detailed info on why Klue had this data, apart from being their partner? How does it serve LastPass customers to give that data to Klue?
This is why I use Microsoft Teams and Outlook as my password manager. I just save my passwords to draft or email them to my coworkers so they never lose track /s
oh well, time to remind users of keepass
I ditched LastPass long ago for BitWarden, though I mostly use the Passwords app from Apple now.
Quite happy I moved away from LastPass long time ago. There are many options out there you can use.
I'm so glad we migrated away from LastPass (to BitWarden). It was a breach that caused us to move in the first instance.
I think it's time for LastPass to rebrand themselves as First0wned.
I've been an Enpass user for years because I got a lifetime purchase for a good deal. They don't host the cloud services for syncing passwords. Instead you just auth your cloud storage (I use Google Drive) and it syncs to that.

This approach seems better to me. For one thing, I'd already be screwed if someone malicious got into my Google account, probably worse than if they got into my password manager. And additionally, this means they're not creating an absolute jackpot of data to breach in a centralized place. No one's gonna hack Enpass of all their passwords because that would require hacking all of Google Drive, Dropbox, iCloud, etc. and looking for the files manually.

> No one's gonna hack Enpass of all their passwords because that would require hacking all of Google Drive, Dropbox, iCloud, etc. and looking for the files manually.

Or they compromise their self-update system if that exists.

LastPass is still behind TMobile on breach frequency, but maybe they will catch up soon.
This looks like a customer data leak and not a vault leak? Still an issue but not a reason to go rotate every password - or am I misreading?