HN

Comments (152)

• Menu

  jagged-chisel
  How does anyone seriously trust LastPass anymore? Years ago, I was working for a company handling bank data. They were using LP immediately following a previous LP security incident and had no plans to migrate away.
• Menu

  khurs
  Lots more companies affected. Some more listed below:>"Klue has not said how many of its hundreds of customers are affected. Several companies have come forward to confirm they had data stolen during the attack, including Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium.">Cybercrime group Icarus took credit for the breach, saying on its leak site that it will publish the stolen data on Monday if the company does not pay the hackers’ ransom."https://techcrunch.com/2026/06/22/klue-hack-results-in-data-...
• variety8675
  https://blog.lastpass.com/posts/klue-supply-chain-incident-a...> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
• argee
  I, like many others, wanted to move off of LP but was too lazy. So I just exported my passwords and put them into Google Sheets. While I have rotated many of those passwords (especially the important ones) and put them into a better password manager, there are several I haven't — and they've remained safer in Google Sheets than in LP.The lesson here is to get off of LP ASAP, you can figure out where to go later.
• Menu

  fusslo
  I'm sure this is worse than using lastpass in some waybut for the past couple years I've just generated and forgotten 90% of my passwords. the final 10% I keep in a password manager. But if the service isn't really that important I just use the 'forgot my password' to change and generate a new password every time I need to login
• woadwarrior01
  I think it's time for LastPass to rebrand themselves as First0wned.
• bradley13
  WTF is LastPasd doing, handing customer details to a market research company? Any such data should have been fully anonymized: no names, no specific addresses, etc..For anyone looking for a recommendation: I use KeepassXC with Keepass2Android. Open source, with a local database that you can choose to sync (or not). I sync using Own cloud.
• Menu

  hbn
  I've been an Enpass user for years because I got a lifetime purchase for a good deal. They don't host the cloud services for syncing passwords. Instead you just auth your cloud storage (I use Google Drive) and it syncs to that.This approach seems better to me. For one thing, I'd already be screwed if someone malicious got into my Google account, probably worse than if they got into my password manager. And additionally, this means they're not creating an absolute jackpot of data to breach in a centralized place. No one's gonna hack Enpass of all their passwords because that would require hacking all of Google Drive, Dropbox, iCloud, etc. and looking for the files manually.
• Menu

  john_strinlai
  any company that stuck around (or began using) lastpass after vaults were leaked probably does not care about this one at all, considering its just CRM data.i can sympathize a little bit with companies that stick with lastpass. when i had to switch an org from lastpass to 1password, it was a massive undertaking and incredibly annoying. however, i have no sympathy for anyone who has chosen lastpass after 2022.
• Menu

  insanitybit
  This isn't great but it's not that big of a deal either. A lot of companies got bit by the Klue breach but it's not like your vaults are being accessed.
• Menu

  felooboolooomba
  Any detailed info on why Klue had this data, apart from being their partner? How does it serve LastPass customers to give that data to Klue?
• giancarlostoro
  I ditched LastPass long ago for BitWarden, though I mostly use the Passwords app from Apple now.
• Menu

  eladbs
  Note #1428 to self: Delete all data from LastPass already.
• rawoke083600
  Unpopular take:I "just" use google chrome password manager for "everything".. yes im sure it horrifies some HN ppl but my thinking is, from all the password managers out there, does anyone one spend more on security or hire better security ppl or have access to better security tools and infra than google (yes yes im sure outliers and some counter examples exists).I routinely die a little inside when i see my gf (none techie) try and remember which one of her fav 3-5 often used passwords she has used for site/service abc as she tries to login.Kinda tongue in cheek, I always tell her if you can remember your password it's a bad one !
• username135
  I switched to keepass a decade ago (maybe) and never looked back
• Menu

  khurs
  >an incident that occurred at Klue (klue.com), a third-party market intelligence platformWell, I hope Klue got them more customers than they are losing due to this.
• Menu

  chinathrow
  Sitting here with my KeepassX and being happy, again.
• Menu

  1a527dd5
  I'm so glad we migrated away from LastPass (to BitWarden). It was a breach that caused us to move in the first instance.
• angelmm
  Quite happy I moved away from LastPass long time ago. There are many options out there you can use.
• fred_is_fred
  This looks like a customer data leak and not a vault leak? Still an issue but not a reason to go rotate every password - or am I misreading?
• thenews
  oh well, time to remind users of keepass
• unstatusthequo
  LastPass is still behind TMobile on breach frequency, but maybe they will catch up soon.
• ChrisArchitect
  Source: https://blog.lastpass.com/posts/klue-supply-chain-incident-a...
• Menu

  throwawayffffas
  So... you business plan is to secure peoples personal data by handing some of that data to a third party. Got it.
• Menu

  TZubiri
  Using a password manager has 2 main tradeoffs and mistakes:1- Tradeoff individual account risk, for systemic risk. You may argue password managers are safe, but few would argue that the risk model reduces the risk of individual password leaks more than the risk of all your passwords leaking. It's a tradeoff.2- Cat and mouse security: There's a class of security decisions that work because they are new and different. First the weakness was that passwords were short, then you make passwords long but unmemorable, so people rely on some other mechanisms to authenticate, like a file on their computer, a drive, a fingerprint, facial recog, which may in turn be protected by a second factor password.At first the new security model will not be stressed, but as more users migrate from one security model to the next one, that's when you are able to compare the security of both technologies, it starts being a juicy enough target that it becomes attacked.So we are at the point where password managers are used enough that they start becoming worthwhile targets of attack (to overcome the difficulty of vulnerating them).Also worth noting that these attacks are more winner-takes-all. In the sense that rather than seeing one account hacked every couple of hours, you will see them all hacked at once, because you introduced a vendor in the password supply chain AND because the vendor centralizes all of the passwords. So target that one vendor and from a single attack you get all the spoils. So when comparing the security of the olden method and the new, just 1 incident is enough to undo all of the reputational gains it has made over the years.
• Menu

  lyu07282
  https://news.ycombinator.com/item?id=48657784https://news.ycombinator.com/item?id=48647272Third time's the charm
• paulbjensen
  Once more onto the breach…
• jrm4
  Lol. Again.Private company third party password managers are bad. Across the board. They're a bad idea.Deeply localized actual best practices can help solve this. Private companies can also help, but only if it isn't in the form of "you can't have this unless you pay for it." The point is, it's like fighting fires, you can't isolate it.It's a complete dead-end and the sooner the industry realizes this the better.
• greenavocado
  This is why I use Microsoft Teams and Outlook as my password manager. I just save my passwords to draft or email them to my coworkers so they never lose track /s