HackerTrans
TopNewTrendsCommentsPastAskShowJobs

leftpass

no profile record

comments

leftpass
·5 वर्ष पहले·discuss
known quantities don’t typically share ownership by percentage. certainly an early startup might offer %x equity, but once a quantity is known — therefore, no risk — you’re getting issued amounts of equity based on their value. I would be exceptionally surprised if YC are giving product engineers multi-million stakes at signing, I’d bet money that does not happen. If there is an equity compensation component (doubtful but not impossible), it’ll be measured in dollars.

As much as “exposure” is worthless, having worked for YC is worth more than a few hundred grand. I’d work for YC as an engineer below market rate.
leftpass
·5 वर्ष पहले·discuss
Many companies forbid the sale of usernames in their terms of service, so an attempt to auction it off could result in it being revoked. Generally, when sales of usernames do happen, it’s in private so there’s little reason to take action… it’s why there’s no reputable marketplace for usernames.
leftpass
·5 वर्ष पहले·discuss
Not just themselves, often it's stolen to order: there's been a few mainstream stories about this and they often mention that paying off Facebook employees is pretty commonplace because the value of these usernames and the low paid customer service representatives are a recipe for bribery.
leftpass
·5 वर्ष पहले·discuss
An extra consideration is that LastPass claim to be monitoring their systems constantly, specifically call out automated attempts ("fairly common bot-related activity"), so we can assume that monitoring includes "attempts to login with wrong passwords" or "attempts to login to accounts that do not exist". That information would be a good way to identify a credential-stuffing attack with confidence, i.e: they might be seeing millions of login attempts to accounts that don't exist + accounts that do with the wrong password...

If that is the case, then the email must be sent in error... which is definitely plausible, i.e: they have a logic mistake somewhere in their system which is incorrectly identifying some unsuccessful attempts as successful (which is triggering an event which triggers the email, the audit log entry etc).

Hopefully they make a better statement soon, because this is very terrible communication from a password management company.
leftpass
·5 वर्ष पहले·discuss
Another possibility is that one of their (many) previous security incidents led to the leaking / exposure of master password hashes, and maybe LastPass don't treat the password hashes as they should (as a password!) and didn't take steps to ensure that any compromise hashes couldn't be re-used. So, potentially, your master password is safe, but there's a hash of it floating around.

Personally, I've long recommended people stay well clear of LastPass for their bad record of security, so shipping a bug in password-hash verification, or treating password hashes haphazardly would not surprise me in the slightest.
leftpass
·5 वर्ष पहले·discuss
I thought that LastPass didn't send your master password over the wire, rather it uses client-side code to take your Master Password and turn it into a hash which is then sent to LastPass for comparison[1]. If that is the case, how can LastPass claim to know that your master password was used? At best, they can claim that the hash sent to the server matches your password's hash but that is not the same as your master password being used.

Given the widespread nature of this issue, I'd guess someone has discovered a flaw in the LastPass login process which is allowing a bad hash to pass the master password hash check: that contradicts what the support agent said, but I'd assume they're mistaken, rather than LastPass are lying in their documentation about how their system works.

[1] https://support.logmeininc.com/lastpass/help/about-password-...