Dare ObasanjoDec 27, 2022

This is a great breakdown of LastPass’s blogpost about their security breach and everything left unsaid.

Even if you don’t blame them for being breached given how much of a high value target they are, you should blame them for downplaying the severity and not taking enough action to protect their customers.

https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/

What’s in a PR statement: LastPass breach explained

The LastPass statement on their latest breach is full of omissions, half-truths and outright lies. I’m providing the necessary context for some of their claims.

Almost Secure
Show threadWired WizDec 27, 2022
@carnage4life It's my understanding that they are never receiving your master password, even when logging in at the website. My understanding is that it is hashed client side and only hashes are compared. However, I have not verified that.
Show threadErin JonesDec 27, 2022
@WiredWiz @carnage4life this is correct. Your passwords are safe.
Show threadDare ObasanjoDec 27, 2022

@WiredWiz @erin This is inaccurate, your passwords are NOT safe. That the hackers do not have your master password is an accurate statement.

Whether or not your hashed passwords are safe depends on multiple factors including the strength of your master password.

Show threadWired WizDec 27, 2022
@carnage4life @erin I'm not saying Lastpass isn't deserving of the criticism, I just think the statement about hackers potentially intercepting the master password is exaggerated if my understanding of the current design is correct.
Show threadMPHinPgh
@WiredWiz @carnage4life @erin The rule is: when you don't know what's been compromised, you MUST assume everything is compromised, regardless of what the vendor or platform is telling you. Change every password and switch to a new password manager.
Dec 27, 2022 at 6:43pmWeb
Show threadWired WizJan 6, 2023
@mphinpgh @carnage4life @erin Well I feel pretty good about my credentials being safe, given my password, iterations and after inspecting my vault data. That said, I'll still be switching to another provider because Lastpass has shown that user security is not their highest priority.