Dare Obasanjo

This is a great breakdown of LastPass’s blogpost about their security breach and everything left unsaid.

Even if you don’t blame them for being breached given how much of a high value target they are, you should blame them for downplaying the severity and not taking enough action to protect their customers.

https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/

What’s in a PR statement: LastPass breach explained

The LastPass statement on their latest breach is full of omissions, half-truths and outright lies. I’m providing the necessary context for some of their claims.

Almost Secure
Dec 27, 2022 at 4:05pmWeb
Show threadBeegyPsiDec 27, 2022

@carnage4life

Agreed.

But also, even if you don’t blame them for being breached you should blame them for being breached.

This wasn't a zero day, this was a security-focused company that (once again) failed to follow basic security protocols.

Show threadJeremy MillerDec 27, 2022
@carnage4life I didn't even realize this had happened. Now I've got to spend the rest of my break changing a bunch of passwords and updating to a new security platform. At least my LastPass subscription was scheduled to be up, anyway.
Show threadWired WizDec 27, 2022
@carnage4life It's my understanding that they are never receiving your master password, even when logging in at the website. My understanding is that it is hashed client side and only hashes are compared. However, I have not verified that.
Show threadErin JonesDec 27, 2022
@WiredWiz @carnage4life this is correct. Your passwords are safe.
Show threadDare ObasanjoDec 27, 2022

@WiredWiz @erin This is inaccurate, your passwords are NOT safe. That the hackers do not have your master password is an accurate statement.

Whether or not your hashed passwords are safe depends on multiple factors including the strength of your master password.

Show threadWired WizDec 27, 2022
@carnage4life @erin Yes, but I'm referring to the statement made that hackers could potentially intercept your master password when logging in. I do not believe that is possible with their current design. I believe they would need to alter the source code and push it to customers first before they could intercept the master.
Show threadWired WizDec 27, 2022
@carnage4life @erin Although I suppose in the case of the website, there really is no code change to "push", since that is the nature of websites, so fair enough.
Show threadDare ObasanjoDec 27, 2022
@WiredWiz @erin If they had access to LastPass’s internal systems long enough to steal the entirety of their customer database, I don’t see why them being able to alter the LastPass website would be treated as some impossible thing.
Show threadWired WizDec 27, 2022
@carnage4life @erin Fair point. I do appreciate the deep dive. It is a good wake up call for users in general to be more mindful of their security.
Show threadWired WizDec 27, 2022
@carnage4life @erin I'm not saying Lastpass isn't deserving of the criticism, I just think the statement about hackers potentially intercepting the master password is exaggerated if my understanding of the current design is correct.
Show threadMPHinPghDec 27, 2022
@WiredWiz @carnage4life @erin The rule is: when you don't know what's been compromised, you MUST assume everything is compromised, regardless of what the vendor or platform is telling you. Change every password and switch to a new password manager.
Show threadWired WizJan 6, 2023
@mphinpgh @carnage4life @erin Well I feel pretty good about my credentials being safe, given my password, iterations and after inspecting my vault data. That said, I'll still be switching to another provider because Lastpass has shown that user security is not their highest priority.
Show threadEggDec 27, 2022
@carnage4life blah blah blah, we lost your info to people, now we say things so that we cover our butts maybe
Show threadMPHinPghDec 27, 2022
@carnage4life I certainly hope all of the other password manager platforms are reviewing their security practices.
Show threadAaron W | ☕️Dec 27, 2022
@carnage4life "Congraulations on your successful implementation of Zero Trust"
Show threadWired WizJan 6, 2023
@carnage4life I partially blame Steve Gibson a bit because long ago when he was talking about how it all worked he described it as an "encrypted blob" ...which is is not. It is a blob of many small encrypted data. All this time I had been under the impression that the entire vault was not accessible by anyone other than the user via local tooling.