LastPass notifies users of yet another data breach

Original Article ↗ Hacker News Discussion ↗

What This Breach Involved

  • Incident originated at Klue, a third‑party “competitive/market intelligence” tool integrated with LastPass’s Salesforce and Gong systems.
  • Attackers obtained OAuth tokens from Klue and accessed LastPass CRM data in Salesforce.
  • Exposed data: customer contact and business info (names, emails, phone numbers, physical addresses), support case data, and sales-related data.
  • No indication in the thread that password vaults were accessed in this specific incident; several commenters stress this is “just” a marketing/CRM breach.

Reactions to LastPass’s Security Track Record

  • Many consider LastPass uniquely untrustworthy given multiple past incidents, including earlier exfiltration of encrypted vaults.
  • Some argue that even a non‑vault breach is reputationally devastating for a company whose entire value proposition is safeguarding secrets.
  • Others downplay the impact, noting that similar contact info has already been leaked many times elsewhere.

Third‑Party Services and Supply-Chain Risk

  • Strong criticism of handing customer data to marketing/CRM platforms at all, especially for a security-focused company.
  • Some defend CRM use as standard “table stakes” for sales, though others argue access should be more tightly limited.
  • Broader concern about interconnected SaaS ecosystems where one compromise (Klue) cascades across many vendors.

Debate on Password Manager Risk Models

  • Discussion of systemic risk: password managers greatly reduce per‑site risk but centralize failure into a single high‑value target.
  • Some prefer offline or “local file + sync” models (KeePassXC, Enpass, Pass, etc.) to avoid large hosted vault targets.
  • Others argue properly implemented end‑to‑end encrypted SaaS managers can be as safe or safer in practice and add phishing protection.

Alternatives, UX, and Migration Costs

  • Frequent mentions of alternatives (1Password, Bitwarden, KeePassXC, Enpass, browser-based managers, self‑hosted Bitwarden/Passbolt).
  • UX of local tools and self‑sync viewed as acceptable for technical users but too rough for “normal” users.
  • Migration away from LastPass, especially in organizations or families, is described as time‑consuming and risky, which helps explain customer inertia.

Data Privacy, Liability, and Regulation

  • Debate over how serious another contact-info leak is when such data is already widespread.
  • Others insist normalization of repeated leaks is harmful and that companies should still be held to higher standards.
  • Some call for stronger legal and personal liability for executives to incentivize better security practices.