Last Call for LastPass

We examine the flaws endemic to LastPass' product, and their bungled response to and disclosure of their recent compromise.

As many of you would have already heard, the August breach of LastPass was revealed to have been much worse than originally thought with unencrypted customer data and encrypted password vaults now confirmed to have been nicked by the attackers.

It's hard to see how this update - the third since their initial disclosure of the breach - wasn't designed to obfuscate the impact and shift blame to customers, with its release coinciding perfectly with the beginning of the end-of-year holiday season.

I've held off on publishing anything on the topic as I was hoping LastPass would come clean on their shoddy handling of the disclosure, but despite a deluge of bad press on the matter, they've kept silent.

Hence, this post.

I'll start with a quick summary of what's happened so far, before highlighting the impact LastPass' systemic inaction and evasiveness has had on their customers and business. I’ll close by addressing the ongoing viability of LastPass as both a product, and a vendor, and what th…