THIS is the last part of the third section of a report I left with the company before leaving at the start of this month. There will be a lot more information about this scandal next month. Recent E-mails are appended below (with certain stuff redacted for privacy's sake).
I cautioned about this repeatedly (for about 4 years) and suffered retribution, threats, and more. Nothing has improved since then.
As just a little sample, please see the E-mails at the bottom (recent); shared in the future will be some longer E-mails about this issue.
But first... the report.
Date: Tue, 30 Aug 2022 09:00:50 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050317 Thunderbird/1.0.2 Mnenhy/0.7.4.0 From: Roy Schestowitz Subject: Handover to Shift 2 (30/08/22) To: [whole team]
[...]
https://www.darkreading.com/cloud/lastpass-data-breach-source-code-stolen
users need to change all the passwords they have there and not keep them there if they value real security not paper mills.
Date: Thu, 11 Aug 2022 03:10:53 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050317 Thunderbird/1.0.2 Mnenhy/0.7.4.0 Content-Language: en-US From: Roy Schestowitz Subject: Slack admits to leaking hashed passwords for five years To: [whole team] Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit
https://nakedsecurity.sophos.com/2022/08/08/slack-admits-to-leaking-hashed-passwords-for-three-months/
Does not surprise me at all. They only admit this because they got caught, hence they need to spin this somehow, belittling the severity, just as LastPass did after several blunders (it had suffered a breach). The way forward is self-hosting and encrypting things (on server one controls, not leasing).