LastGasp (Premium)

LastPass used to be easy to recommend, and even the occasional security breach was understandable and, to date, handled correctly. But not anymore: with its latest episode, LastPass has done the unthinkable and betrayed the trust of its customers. If you’re one of them, it’s probably time to migrate to a new solution.

In many ways, this isn’t about technology. Instead, it’s about communication and trust, two issues that come up a lot in my world because of the way Microsoft has been mismanaging Windows---to my mind---for the past several years. But the LastPass incident is more worrying than silly UI changes in Windows. LastPass is a service that exists solely to securely store some of your most sensitive information.

That hackers would target LastPass is not surprising: the prize here is the same as it’s ever been for thieves: go where the money is. And these days, the money is behind the personal data most of us all store online: the passwords and other credentials that let us access our bank and credit accounts. And so LastPass is under constant attack. Of course it is.

What we can do, as current or potential customers, is evaluate how well LastPass protects its customers’ data from these attacks and, as importantly, how it responds when things go poorly. This is as true of companies as it is of individuals: how one reacts in times of emergency or conflict is in many ways the true value of that person (or business).

And, to date, LastPass has responded well. Because negative opinions are amplified online, of course, we hear from every Chicken Little when things go wrong: “Time to leave LastPass!” they’ll declare each time. We have the same debates when prices rise or when feature sets change. It’s the nature of the Internet.

But this time, it may really be time to leave LastPass. In August, the firm reported a security incident in which hackers breached a developer’s account to gain access to the LastPass systems for four days. At the time, the firm said that customer data and passwords were unaffected, and so the story shifted to the usual rigamarole about social engineering and how humans are always the weakest link in the chain. LastPass might have lost some source code, but its customers were protected, it said at the time, by its “zero knowledge” architecture in which it can’t store or access the master passwords used by its customers.

And then three long months went by. And right before Christmas, LastPass finally admitted that the August hack was worse than it had said originally. Happy Holidays, everyone!

“The threat actor copied information from [a] backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service,” LastPass revealed. “The threat actor was also able to copy a backup of custo...