Dare ObasanjoDec 27, 2022

This is a great breakdown of LastPass’s blogpost about their security breach and everything left unsaid.

Even if you don’t blame them for being breached given how much of a high value target they are, you should blame them for downplaying the severity and not taking enough action to protect their customers.

https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/

What’s in a PR statement: LastPass breach explained

The LastPass statement on their latest breach is full of omissions, half-truths and outright lies. I’m providing the necessary context for some of their claims.

Almost Secure
Show threadWired WizDec 27, 2022
@carnage4life It's my understanding that they are never receiving your master password, even when logging in at the website. My understanding is that it is hashed client side and only hashes are compared. However, I have not verified that.
Show threadErin JonesDec 27, 2022
@WiredWiz @carnage4life this is correct. Your passwords are safe.
Show threadDare ObasanjoDec 27, 2022

@WiredWiz @erin This is inaccurate, your passwords are NOT safe. That the hackers do not have your master password is an accurate statement.

Whether or not your hashed passwords are safe depends on multiple factors including the strength of your master password.

Show threadWired WizDec 27, 2022
@carnage4life @erin Yes, but I'm referring to the statement made that hackers could potentially intercept your master password when logging in. I do not believe that is possible with their current design. I believe they would need to alter the source code and push it to customers first before they could intercept the master.
Show threadDare ObasanjoDec 27, 2022
@WiredWiz @erin If they had access to LastPass’s internal systems long enough to steal the entirety of their customer database, I don’t see why them being able to alter the LastPass website would be treated as some impossible thing.
Show threadWired Wiz
@carnage4life @erin Fair point. I do appreciate the deep dive. It is a good wake up call for users in general to be more mindful of their security.
Dec 27, 2022 at 7:30pmWeb