I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.

With something like LastPass it's also much easier to create unique strong passwords for other sites.

Also, let's be real:

> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.

I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already. This has nothing to do with the security of your passwords stored in LP. They have some CRM, some person from their 800 employees clicked a sketchy link and it leaked that. It's not good, but its hardly an indictment of their product or usefulness

This.

If you want to be a security vendor reseller, just make sure to sell to orgs that have a compliance requirement, either by law or similar.

Do you sell firewalls? sell them to banks or something. Anti-malware endpoints? Insurances too. SIEMs? payment gateways for their PCI DSS environments.

Price it just below what would be the fine for not complying, that way you maximize the invoice.

I stopped playing the security vendor reseller game because it got too boring this way to make money.

And it will continue until we can sue company being breached for criminal negligence. Should a single company executive be personally liable in these situations, the scale of the problem would be orders of magnitude less severe because they would spend the appropriate amount of effort to cover their damn ass.

Well, these types of companies typically carry cyber incident insurance. If there was, say, a ransomware attack, the carrier is going to bring in a forensic team to investigate. If it is determined that there was negligence, like not patching a system, that will be used to deny a claim. This might be a little different from the lastpass situation in that it's an untrustworthy vendor, but there's still significant exposure.

If this bank were my client, I would make sure that the decision-makers were aware.

Because procurement is hard. Changing vendors is a big undertaking for big companies. They are certainly not going to be switching vendors every time there is an incident

At some companies, "approved security vendor" just means the breach comes with procurement paperwork.

Also use them as a password manager like an advanced version of Excel that fills in the passwords for you. Security isn't part of it. I have the feeling LastPass agrees.

It is inertia. Customers are sticky, they do not switch unless they have to. If you're an enterprise, you have to go through establishing a new vendor relationship, onboarding a new password vault with your IT team, communicate it across the org, migrate data from the old password vault to the new password vault, etc. There is a real cost in time and resources to do this, and so, many avoid it until they have no other choice.

Lastpass is owned by PE. Why? Because Francisco Partners and Elliott Management bought a cashflow that is sticky. Its why most software companies were acquired by PE prior to the Cambrian explosion of generative AI.

"We need to be able to answer an RFP that asks "do you have a comprehensive credential management system?"."

Just like a previous employer I had, on background checks. "We need to run one. We don't care what you did or didn't do, if you're doing good work for us. But some of our customers require that we have performed them."

Moving to another solution involves some expense and operational risk (changing procedures, increased human error rates, locking yourself out). Even though the risk of staying with the existing solution goes from "unlikely" to "possible" (so maybe from yellow/amber to red), a lot of companies rationalize it as "but now the provider will be extra careful so the likelihood is actually lower".

Crowdstrike had a famous incident and is still probably #2 in the cybersecurity world. Sometimes assessing risk is a funny business.