known quantities don’t typically share ownership by percentage. certainly an early startup might offer %x equity, but once a quantity is known — therefore, no risk — you’re getting issued amounts of equity based on their value. I would be exceptionally surprised if YC are giving product engineers multi-million stakes at signing, I’d bet money that does not happen. If there is an equity compensation component (doubtful but not impossible), it’ll be measured in dollars.
As much as “exposure” is worthless, having worked for YC is worth more than a few hundred grand. I’d work for YC as an engineer below market rate.
Many companies forbid the sale of usernames in their terms of service, so an attempt to auction it off could result in it being revoked. Generally, when sales of usernames do happen, it’s in private so there’s little reason to take action… it’s why there’s no reputable marketplace for usernames.
Not just themselves, often it's stolen to order: there's been a few mainstream stories about this and they often mention that paying off Facebook employees is pretty commonplace because the value of these usernames and the low paid customer service representatives are a recipe for bribery.
An extra consideration is that LastPass claim to be monitoring their systems constantly, specifically call out automated attempts ("fairly common bot-related activity"), so we can assume that monitoring includes "attempts to login with wrong passwords" or "attempts to login to accounts that do not exist". That information would be a good way to identify a credential-stuffing attack with confidence, i.e: they might be seeing millions of login attempts to accounts that don't exist + accounts that do with the wrong password...
If that is the case, then the email must be sent in error... which is definitely plausible, i.e: they have a logic mistake somewhere in their system which is incorrectly identifying some unsuccessful attempts as successful (which is triggering an event which triggers the email, the audit log entry etc).
Hopefully they make a better statement soon, because this is very terrible communication from a password management company.
That's possible, but the audit log shows the event that triggered the email and failed logins as two separate things.
The events are "failed login" and "Login verification email sent". The second one is what triggered the email and this event seems like it should only happen if you correctly login but their additional checks stop it from authenticating completely. The email has a button for "verify new device or location", which sure makes it seem like the login was successful.
I hope they just mangled up their event logger and it really should have been a failed login attempt but was logged as a valid login and triggered the email.
I thought that LastPass didn't send your master password over the wire, rather it uses client-side code to take your Master Password and turn it into a hash which is then sent to LastPass for comparison[1]. If that is the case, how can LastPass claim to know that your master password was used? At best, they can claim that the hash sent to the server matches your password's hash but that is not the same as your master password being used.
Given the widespread nature of this issue, I'd guess someone has discovered a flaw in the LastPass login process which is allowing a bad hash to pass the master password hash check: that contradicts what the support agent said, but I'd assume they're mistaken, rather than LastPass are lying in their documentation about how their system works.
What's a bit surprising is how "low effort" the rest of the attack was: presumably if they found this flaw to bypass passwords, they then attempted to login (which caused an email to be sent out), but LastPass stopped them because they (i.e. the folks on the Brazil IP range) were logging in from a new IP.
So this would be a case of one protective layer (the new IP detection) compensating for a vulnerability in the other one (the password protection).
That would be "re-assuring" in a certain way (as the passwords themselves did not leak -- presumably!).
Another possibility is that one of their (many) previous security incidents led to the leaking / exposure of master password hashes, and maybe LastPass don't treat the password hashes as they should (as a password!) and didn't take steps to ensure that any compromise hashes couldn't be re-used. So, potentially, your master password is safe, but there's a hash of it floating around.
Personally, I've long recommended people stay well clear of LastPass for their bad record of security, so shipping a bug in password-hash verification, or treating password hashes haphazardly would not surprise me in the slightest.
If Lastpass was zero knowledge then this wouldn't make sense. The master password or some derivative of it should decrypt your passwords on the local device.
I use Keeper and despite it being cloud based, that's exactly how it works.
As much as “exposure” is worthless, having worked for YC is worth more than a few hundred grand. I’d work for YC as an engineer below market rate.