LastPass CEO Karim Toubba last week said that hackers who accessed a cloud-based storage environment in August of 2022 have gained a copy of consumer data, including names, email addresses, billing addresses and telephone numbers. The executive said that data of its customers remains safe due to unavailability of the master key. However, some cybersecurity experts have termed the company’s statement as “outright lies.”
“Statement full of omissions”
As per security researcher Wladimir Palant, the company’s “statement is full of omissions, half-truths and outright lies.” Palant says that LastPass is trying to present the August 2022 incident and the data leak as two separate events but this is actually a typical technique (called lateral movement) used by threat actors.
“So the more correct interpretation of events is: we do not have a new breach now, LastPass rather failed to contain the August 2022 breach. And because of that failure people’s data is now gone. Yes, this interpretation is far less favourable of LastPass, which is why they likely try to avoid it,” Palant said in a blog post.
LastPass was storing users’ IP addresses and the researcher points out that the compromised data “should be good enough to create a complete movement profile.” The researcher also notes that LastPass is preparing “the ground for blaming the customers.”
Bald-faced lie, says another researcher
LastPass claims that he had zero knowledge about the breach, however, security researcher Jeremi Gosney says that “the claim of ‘zero knowledge’ is a bald-faced lie.” He notes that the company ”has about as much knowledge as a password manager can possibly get away with.”
“Every time you login to a site, an event is generated and sent to LastPass for the sole purpose of tracking what sites you are logging into. You can disable telemetry, except disabling it doesn’t do anything – it still phones home to LastPass every time you authenticate somewhere,” the researcher said in his post on Mastodon.
Jeffrey Goldberg, another researcher, said that LastPass’ claim that if users had followed default settings, “it would take millions of years to guess your master password using generally-available password-cracking technology” is highly misleading.
“Statement full of omissions”
As per security researcher Wladimir Palant, the company’s “statement is full of omissions, half-truths and outright lies.” Palant says that LastPass is trying to present the August 2022 incident and the data leak as two separate events but this is actually a typical technique (called lateral movement) used by threat actors.
“So the more correct interpretation of events is: we do not have a new breach now, LastPass rather failed to contain the August 2022 breach. And because of that failure people’s data is now gone. Yes, this interpretation is far less favourable of LastPass, which is why they likely try to avoid it,” Palant said in a blog post.
LastPass was storing users’ IP addresses and the researcher points out that the compromised data “should be good enough to create a complete movement profile.” The researcher also notes that LastPass is preparing “the ground for blaming the customers.”
Bald-faced lie, says another researcher
LastPass claims that he had zero knowledge about the breach, however, security researcher Jeremi Gosney says that “the claim of ‘zero knowledge’ is a bald-faced lie.” He notes that the company ”has about as much knowledge as a password manager can possibly get away with.”
“Every time you login to a site, an event is generated and sent to LastPass for the sole purpose of tracking what sites you are logging into. You can disable telemetry, except disabling it doesn’t do anything – it still phones home to LastPass every time you authenticate somewhere,” the researcher said in his post on Mastodon.
Jeffrey Goldberg, another researcher, said that LastPass’ claim that if users had followed default settings, “it would take millions of years to guess your master password using generally-available password-cracking technology” is highly misleading.
Related Posts
Denial of responsibility! TechnoCodex is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – [email protected]. The content will be deleted within 24 hours.
