Mastodawn

Aiden Dec 22, 2022

LastPass Leak Update: Encrypted Vaults Leaked, AND **URLs are not encrypted in LastPass**, so all URLs in your vault should be considered public information now, linked to your name and information. Goodbye LastPass, that's crazy bad by design.

Looking forward to Steve and @leo take on this in SN.

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Security Incident December 2022 Update - LastPass

We are working diligently to understand the scope of the incident and identify what specific information has been accessed.

The LastPass Blog

Show thread

Steven Arenberg Dec 23, 2022

@aiden56 @leo Can you help me understand the security issue with the site URL’s being exposed. What information is vulnerable as a result? My email address? I could wait for Steve Gibson’s take, but I’m curious now. Thanks.

Show thread

Aiden

@Sarenberg @leo - I see it as a) privacy (do you want people to know all the sites you are on) and b) makes password reuse checks much easier if any of your passwords have ever been leaked.

Show thread

Steven Arenberg Dec 23, 2022

@aiden56 @leo Yes. Good points. Thank you. I really like the LP UI, the emergency access feature, ease of sharing passwords, etc. But this does have me considering other options. I wonder how painful it is to switch password managers…

Show thread

Chris Williams Dec 23, 2022

@aiden56 @Sarenberg @leo

Can someone explain why I should be concerned? Because my passwords were encrypted, and all of the passwords are long and complicated - basically indistinguishable from line noise. The URL to a site doesn't seem like particularly sensitive information.

Show thread

Aiden Dec 23, 2022

@gaffa @Sarenberg @leo 'sensitive' depends on your own standards. It also means that people can brute force your vault password (perhaps not an issue if long and complicated) and of course 2FA is merely a server side check, not part of the encryption key, so that is skipped once they have the actual vault offline.

Show thread

Chris Williams Dec 23, 2022

@aiden56 @Sarenberg @leo

All of my passwords are unique and at least 12 characters with a mixture of numbers, letters, cases & symbols.

So I'm not particularly worried that anybody is going to brute force any of them, and if they do, they're not going to succeed until the heat death of the universe.

I'm not going to drop LastPass, given that they are being honest.