Home

Data breach compensation

Hi, having just read the full extent of the two data breaches, I'm slowly going through and updating 320 passwords which are a mix of both personal and work passwords. Not to mention the secure notes, passport info, driving license information, social security numbers and credit card information.

Having just written the last sentence I feel I have placed too much confidence in the security of LastPass. Now you can talk all you want about AES256 encryption, of zero knowledge data architectures and the low probability of someone reverse-engineering my master password. But, at the end of the day I'm left with updating all passwords in my vault, creating a new master password and a keeping my fingers crossed that my master password was strong enough to prevent anyone gaining access to my driving license information and social security information and other secure notes.

So what's LastPass doing about this - I don't recall reading anything other than telling us not to worry.

If on average it takes around 5 minutes per account to change the password, and verify that the updated password has been saved correctly, that's 26 hours of time that I'm going to lose and not be compensted for. The annoying. part is that my auto-renewal was taken on Dec22nd. I had I read the blog post I would be spending the 26 hours emptying my vault and moving to another password manager, who implements stricter security measures for their developers.

At a minimum I feel that LastPass should be at a minimum provide one years free subscription charges or refunding all subscriptions that were paid after the breach was discovered, not to mention five years of free credit monitoring.

I'd love to hear how others are feeling as more news is released on the breach and just how far and wide it went - at least from those users who are staying with LastPass and not jumping to an alternate provider.

Find more posts tagged with

Accepted answers

AshC

Hello, and thanks for your patience.

To clear up some confusion around this request, LastPass was not in violation of any terms of services as outlined in customer contracts.

If you would still like to have a case reviewed by our billing team, this article has a 'Contact Support' link on the right side which leads to a customer form to fill out: https://support.lastpass.com/help/how-do-i-contact-customer-support-for-lastpass-lp010121

You may create a 'Billing' case there, and receive a phone callback or email follow up depending upon your account type.

All comments

just_the_facts

The plaintiff's attorneys are starting to do their work.

At least one class action filed in Massachusetts federal court

https://topclassactions.com/lawsuit-settlements/privacy/data-breach/lastpass-class-action-claims-data-breach-result-of-faulty-security/

https://www.classaction.org/media/debt-cleanse-group-legal-services-llc-v-goto-technologies-usa-inc-et-al.pdf

yesitsme

Guys the only way to get anything is a class action / lawsuit in the US.

Read this carefully: you are discussing refunds of free year in a support website for Lastpass, that says "GoTo" on the upper left corner, community.logmein.com on the url bar, and is not event moderated... they don't give a **bleep**.

MEJ2

I agree. Time to dump LP; the number of security incidents they've had , and this utter failure to assess and report the extent of the impact in a more timely manner, means they can't be trusted.

The hacker community has LP's source code - which means its just a matter of time until they crack LP's proprietary binary data storage, and get access to accounts with weaker master passwords, or potentially find a backdoor left by some careless developer and get the motherload.

The only solution to this would be a complete rewrite of Lastpass - anyone here believe they're going to incur the effort and cost to do that? (If so, you probably shouldn't be on the Internet without adult supervision). Instead, LP is going to patch - and wait for the next breach, and patch - and the cycle will continue indefinitely.

As far as other providers, one RED LINE suggestion: Everything, including the web urls tied to your name, should be encrypted. The fact that LP *DIDN'T* make this trivial effort, is unforgiveable. As a prior commenter pointed out, even if your account login/passwords remain secure, hackers now have a roadmap to every website where you have an account. For most LP users, that's probably 100 to 500 new points of attack, handed to black hat hackers on a silver platter.

Stolting

I'm pretty much doing the same, although I'm struggling to know who to use in place of LastPass. I keep looking but can't decide on alternate provider. I've beeen a premuim LastPass user for several years, in fact both my wife and I have paid subscriptions which I'm looking to offload to another company who give greater protection to my data. DashLane or 1Password look to be good, would love to hear who your thinking of using in the future.

rymar

I'm feeling pretty burned by all this. First they said nothing for months and now telling us not to worry. That in itself is cause for worry. I now get to spend Christmas changing all my PWs. I don't even want free anything at this point. I will be moving my vault to another service after I get all my important passwords changed. I don't trust this app any longer. I'm now researching on where to move to. I feel like sending them an invoice for the hours I'll be spending changing stuff.

MarothX

1 Year compensation? This is probably one of the more traumatic things to happen to many people, on the level of getting robbed or mugged. Lastpass just literally handed every criminal in the world a list of all of the accounts we have, even if they never break the encryption. Just having that info gives them a lot of tools to get into accounts or steal identities, or blackmail people.. Even if you go in and change the hundreds of passwords and security questions you have, if you have information in your secure notes like social securities, driver's license numbers, passport info, birthdays, addresses, names, etc., those are things you can't ever change or get back and will give people pretty much whatever they need to steal identities. To me, this trauma and worry for the rest of my life is at a bare minimum worth top of the line credit/identity protection and monitoring for the next 50 years.

bartfliet515

You're asking for a year free subscription? Like... Just go to a different password manager. I was a paying lastpass customer for 4 years. They had several incidents, and they also lied about their zero knowledge architecture. This isn't a company I can trust with my data anymore.

I switched to bitwarden yesterday and I won't be renewing my subscription with lastpass. This has gone too far.

Opteron64

I was going to ask the same 1 year membership compensation.