A Note from LastPass

I can&#x27;t imagine how I&#x27;d survive without Lastpass. One of it&#x27;s added benefits is seeing just how many different services you don&#x27;t use any more still have your details.<p>I did a purge a few months back and I&#x27;m down from 150 sites to about 70. It was depressing how many sites I had to email to ask them to delete my account.

I think this is the research they&#x27;re referring to:<p><a href="http://devd.me/papers/pwdmgr-usenix14.pdf" rel="nofollow">http:&#x2F;&#x2F;devd.me&#x2F;papers&#x2F;pwdmgr-usenix14.pdf</a><p>(Note that this is a USENIX paper, which makes the &quot;we let them publish it&quot; comment sort of weird).<p>The bookmarklet attack isn&#x27;t subtle; page 8 explains how they were able to set up a malicious site that could obtain Lastpass (say) Dropbox credentials.

I love LastPass, and this response is one of the reasons why. There will always be issues in security, there is nothing out there that will ever be perfect. The question is how you respond when things are discovered.<p>The one caveat I have is that I do wish they open sourced. Overall I prefer that when it comes to security.<p>But LastPass has always responded well when issues come up.

While I do appreciate this disclosure, I&#x27;m not sure doing so a year later warrants much applause. While I agree this is a vulnerability that only effect a small subset of users (&lt;1%), this actual number of users could be large depending on the size of their customer base (likely tens of thousands).

lastpass is awesome, and i like their disclosure policy. nothing worse than trying to cover things up.