For years I’ve been advising clients and employers to not use #Lastpass due to the possibility of a compromise of their password vaults from the data being stored on servers outside of their control. I’ve always pushed for them to instead use the open format #KeePass database stored on their own servers with DLP with heavy alerting and monitoring. I also pushed for them to use smaller databases tied to SSO and breaking the data into role-based need to know containers and databases.

Today, Lastpass confirmed that they had lost cloud storage keys to backups that contained “customer vault data”, EARLIER THIS YEAR. They are being tight lipped about the hack and pretending like the fact they use an unpublished binary format is going to help protect customers.

All Lastpass customers should consider any data to be compromised and immediately change any passwords or sensitive data stored with the company.