A lot of people and orgs don't use security products for security. They use them for security theater. A vast majority of people, even many security people, will never hear about this breach. So LastPass still works great for them.

If the passwords are still not known, the "breach" is not a fail for the end user. If the master password to the vault is secure, and the only way to the vault is still only through the master password, it's still doing what the end user wants it to do. "Breach" is meaningless without qualifiers.

How does anyone trust ANY third party with all their passwords and encryption keys is beyond me.

Setting up KeePassXC is trivial.

I’ve done a lot of security consulting work for hundreds of companies and one thing I noticed is that the companies that actually took security seriously were the ones that had been breached in the past. Until the execs and board see the dollar impact themself and not just read about it, the security program never gets the funds it needs.

I’m not saying I recommend LastPass for that reason, but I wouldn’t write them off for that reason.

If you think I'm going to try and get my mom onto a different password manager, after it took literally ten years to migrate her away from the printed list in her purse...

People still use Windows

The one that amazes me is Okta.

OK their Mac UX is great, but given their rate of incidents how can you trust it?

Clearly this stuff is not actually bought based on track record.

What's the risk, and does that change by moving to an alternative?

Companies deal with leaked secrets a lot. A company already using a password manager is ahead of the game.

Suppose they move to a competitor. That's a migration and training that someone has to drive. What do they gain? Another company that can also have exploits? Or they self-host, and now have to fund that, and still potentially get exploits?

Ultimately, this likely isn't that big of a deal for a company.

And they have to weigh it up against all the other things that they can be doing.

I remember ten years ago telling our so-called leaders that the data will get leaked from LastPass. They were all gung-ho about it being secure blah de blah. Luckily most of us don't work there anymore.

I had one of their salesmen harassing me back in 2018 or 2019 when one of their many breeches hit. I said "this is why."

> They were using LP immediately following a previous LP security incident

“Yeah, but they fixed that!”

Normies don’t pull the historical list of breaches and vulns.

They just read headlines.