>"Klue has not said how many of its hundreds of customers are affected. Several companies have come forward to confirm they had data stolen during the attack, including Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium."

>Cybercrime group Icarus took credit for the breach, saying on its leak site that it will publish the stolen data on Monday if the company does not pay the hackers’ ransom."

https://techcrunch.com/2026/06/22/klue-hack-results-in-data-...

For anyone looking for a recommendation: I use KeepassXC with Keepass2Android. Open source, with a local database that you can choose to sync (or not). I sync using Own cloud.

> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.

but for the past couple years I've just generated and forgotten 90% of my passwords. the final 10% I keep in a password manager. But if the service isn't really that important I just use the 'forgot my password' to change and generate a new password every time I need to login

This approach seems better to me. For one thing, I'd already be screwed if someone malicious got into my Google account, probably worse than if they got into my password manager. And additionally, this means they're not creating an absolute jackpot of data to breach in a centralized place. No one's gonna hack Enpass of all their passwords because that would require hacking all of Google Drive, Dropbox, iCloud, etc. and looking for the files manually.

The lesson here is to get off of LP ASAP, you can figure out where to go later.

i can sympathize a little bit with companies that stick with lastpass. when i had to switch an org from lastpass to 1password, it was a massive undertaking and incredibly annoying. however, i have no sympathy for anyone who has chosen lastpass after 2022.

I "just" use google chrome password manager for "everything".. yes im sure it horrifies some HN ppl but my thinking is, from all the password managers out there, does anyone one spend more on security or hire better security ppl or have access to better security tools and infra than google (yes yes im sure outliers and some counter examples exists).

I routinely die a little inside when i see my gf (none techie) try and remember which one of her fav 3-5 often used passwords she has used for site/service abc as she tries to login.

Kinda tongue in cheek, I always tell her if you can remember your password it's a bad one !

Well, I hope Klue got them more customers than they are losing due to this.

1- Tradeoff individual account risk, for systemic risk. You may argue password managers are safe, but few would argue that the risk model reduces the risk of individual password leaks more than the risk of all your passwords leaking. It's a tradeoff.

2- Cat and mouse security: There's a class of security decisions that work because they are new and different. First the weakness was that passwords were short, then you make passwords long but unmemorable, so people rely on some other mechanisms to authenticate, like a file on their computer, a drive, a fingerprint, facial recog, which may in turn be protected by a second factor password.

At first the new security model will not be stressed, but as more users migrate from one security model to the next one, that's when you are able to compare the security of both technologies, it starts being a juicy enough target that it becomes attacked.

So we are at the point where password managers are used enough that they start becoming worthwhile targets of attack (to overcome the difficulty of vulnerating them).

Also worth noting that these attacks are more winner-takes-all. In the sense that rather than seeing one account hacked every couple of hours, you will see them all hacked at once, because you introduced a vendor in the password supply chain AND because the vendor centralizes all of the passwords. So target that one vendor and from a single attack you get all the spoils. So when comparing the security of the olden method and the new, just 1 incident is enough to undo all of the reputational gains it has made over the years.

https://news.ycombinator.com/item?id=48647272

Third time's the charm

Private company third party password managers are bad. Across the board. They're a bad idea.

Deeply localized actual best practices can help solve this. Private companies can also help, but only if it isn't in the form of "you can't have this unless you pay for it." The point is, it's like fighting fires, you can't isolate it.

It's a complete dead-end and the sooner the industry realizes this the better.