Canceling LastPass

12 years ago I started paying for LastPass Premium. Today, I canceled my subscription, migrated my data to a different service, and deleted my account.

I used a very strong password and higher-than-default PBKDF2 iterations, so I’m not too worried about a brute-force of my vault. My problem is two parted:

1: LastPass did not engage in a properly post-breach analysis / cleanup. Resetting passwords/keys/credentials/etc is easily the most basic/common breach recovery tactic. That they skipped this, is inexcusable.

2: LastPass seemingly hasn’t invested in securing their development environment. Introducing vulneraries into the codebase is their biggest risk. Attackers going after the dev environment should not have been a surprise.

As others have speculated, it seems the acquisition by LogMeIn has resulted in shifting from a focus on security, to instead a focus on features and profit. I have no proof of this, but points 1 & 2 above seem to support this speculation.

For those also jumping to other providers, I do recommend rotating all your vaulted passwords. Unless you had a very weak master passwords, there’s no huge rush. But everyone should presume that “eventually” a well-funded adversary will be able to brute force your vault.

Standard caveat, the above is my personal opinion and does not represent anyone else’s opinion/position.

This post originally appeared on Mastodon.