Skip to main content


Every subsequent update of the #LastPass breach makes it worse. The latest one makes it clear that someone, somewhere, is probably putting a room full of discarded mining GPUs to work trying to crack that master password. Since the URLs are in plain text, whoever has the data has a list of all websites that a user cared enough about to make and store accounts on. That #metadata is going to be very useful for someone, somewhere. That the data hasn't yet popped up leaked or for sale hints that this could be yet another state-sponsored effort.

PS I highly recommend @bitwarden for all your credential manager needs, and please pay them to host it for you.
Been reading more and stewing on this. #LastPass knew about this weeks, maybe months ago. They dropped it right before all of the security and IT people would be out on vacation for the rest of the year. Now we're all forced to try and contain the conflagration during what should be relaxing time off. Once again, the response is becoming the story more than the incident. Technical mistakes I can forgive, but bad COMMs much less so.