Yet rather than taking responsibility and helping affected users, their PR statement was designed to downplay and to shift blame. It happened more than three months after the users’ data was extracted from LastPass servers. LastPass’ initial communication around the breach has been nothing short of a disaster.
Update (): It looks like at least the issues listed under “Secure settings” are finally going to be addressed. So far I failed to find evidence of any improvements whatsoever. So let’s take a look at whether they managed to deliver. LastPass promised to improve, both as far as their communication goes and on the technical side of things. This was not so much because of the breach itself, such things happen, but because of the many obvious ways in which LastPass made matters worse: taking months to notify users, failing to provide useful mitigation instructions, downplaying the severity of the attack, ignoring technical issues which have been publicized years ago and made the attackers’ job much easier.
The criticism from the security community has been massive. In September last year, a breach at LastPass’ parent company GoTo (formerly LogMeIn) culminated in attackers siphoning out all data from their servers.
