Some more #LastPass research, once again proving that locally encrypted passwords don't necessarily result in data being safe/private on their server. Issue reported November last year, supposedly fixed (I have my doubts).
@WPalant Yeah, LogMeIn doesn't give a shit about this. I warned them about this general problem in 2015 and they didn't seem to understand.
"Oh but you can *trust* our servers!"
@varx At some point they accepted my logic that their servers shouldn't be trusted. But now I got a bullshit answer again: "Due to SOC2 compliance a single person within development does not have the power the make such a change to the code." A quick look at SOC 2 didn't show any relevant criteria - not that it has any specific requirements at all. Also, this answer excludes all people outside development. What about server admins or management, can a single person there make this change?
A Mastodon instance for info/cyber security-minded people.