There ought to be some kind of legal sanction against companies that try to hide the seriousness of data breaches.<p>I read the customer update, and the severity of this breach is hidden deep in the statement and skimmed over.<p>Basically: LastPass just shared which sites you have logins for with the attacker. This could be sold or released to the entire world. They claim the usernames are encrypted fields but often the usernames can also be in the URLs saved along with the site.
This is only tangentially related but I just noticed that lastpass reactivated an account I closed 3 years ago and began billing me two years ago. I just caught the second charge and when I confronted them, they said they can only refund within 30 days!<p>So check your statements and see. I'm curious to know how many more people this has happened to.
This title is so manipulative and misleading. The attacker stole a mountain of AES encrypted blobs, so unless this threat actor has broken AES already, it'll probably be decades before they'll be able to peer into your secrets.