undefined | Better HN

0 points_aavaa_4y ago0 comments

Be that as it may, which I have my doubts about since they are quite definitive about the problem being solved, I don't want a PR filter from the company that I would trust with my passwords.

What I want to know is have I been compromised or not, the PR saves face at further expense of users (if they truly have been compromised).

0 comments

tuwtuwtuwtuw4y ago

> What I want to know is have I been compromised or not,

They have been extremely clear that they have not found any signs of compromise. Did you miss that?

Of course no company can technically guarantee that they have not being compromised. If you are looking for someone telling you at any point they are 100% confident no user accounts have been compromised, then you will pick a company lying to you.

aflag4y ago

They should be able to explain why so many people received the email though. Was there a fault in the notification system or not? Are they going to send messages to the individuals which received the notification in error?

I get that direct evidence of a leak is difficult. However, a sudden surge of master passwords being known by third parties in uncorrelated accounts is a very good evidence that something happened. If that's not what happened, then what happened exactly? Was it really a bug in the notification system? Do they have evidence that the password used in the blocked login attempts weren't really the actual master password?

There is a lot of things they can do to show they are on top of things.

tragictrash4y ago

combine that with lastpass' history of security mistakes, the people in on hn claiming that they didn't reuse the master password, and the press releases gas lighting their users, I'm not buying their story for a second.

_aavaa_OP4y ago

I did not miss that. But it's harder for me to read that as a technical statement and not more PR after the rest of the PR.

I also agree with you about the 100% confidence about not being compromised. Perhaps my previous statement was too black/white. I don't want PR or placating statements, I want a transparent status report without weasel words and which exhaustively covered the different cases (e.g. SOME of the messages were sent in error. what about the rest? Are the rest routine compromises that happen normally? Or was there a spike in compromised accounts?)

j / k navigate · click thread line to collapse