LastPass breach just keeps getting worse

As breaches go, this one is pretty disturbing. Not just for the sensitivity of the stolen data, but also because of the poor disclosure practises followed by LastPass :sweat:

This is why I don’t use cloud services to manage my banking passwords (I use KeePass, and I store the database in a git repo, so I can see the change histories when syncing between devices). I still use Chrome to manage all other passwords though – hopefully the combination of Google’s security practices and 2FA will keep all the other accounts that I care about secure.

I just saw in this thread that you used to be a LastPass user. Were you able to ask them to delete all of your passwords when you switched?

Unfortunately, I didn’t delete my account when I switched, so my vault was still on their systems. While I have a five-word passphrase, so not immediately worried about the entire vault being brute-forced, the plaintext URL storage does give me a bit of discomfort.

I’ve terminated my account now, although that particular horse has already bolted :sweat: