Security experts say LastPass mislead customers in August data breach updates

Hackers stole customer password vaults, and LastPass is allegedly trying to downplay the severity, experts say

LastPass on Android

Security experts are calling LastPass out on its “misleading” December security breach update.

The breach originates from an incident in August that led to a subsequent breach in November, where cyber criminals gained access to user password vaults. LastPass posted two updates since August, with the latter one coming earlier this month. The company said there was no cause for concern as passwords remain encrypted. While hackers could use brute force to access master passwords, LastPass said it “would take millions of years to guess” if the company’s best practices for passwords were followed.

Jeffrey Goldberg, the Principal Security Architect at 1Password, said the “claim is highly misleading.” The statement assumes users randomly generated their own master passwords, which Goldberg said people aren’t very good at doing.

“Unless your password was created by a good password generator, it is trackable,” Goldberg wrote in a blog post. The best practices LastPass mentions don’t include anything about a password generator, which Goldberg insinuates is the way to create uncrackable passwords.

It also isn’t expensive to guess passwords, Goldberg wrote, with 10 billion guesses equaling $100 USD (roughly $135 Canadian).

“Given that the attacker is starting with the most likely human-created passwords first, that $100 worth of effort is likely to get results unless the password was machine generated.”

LastPass’ transparency claims have also been called out. Security researcher Wladimir Palant called out the company’s “commitment to transparency.” LastPass stated its updates were to remain transparent to its customers. However,  Palant wrote in a blog post that LastPass has to share data breaches immediately under U.S. law.

He further accused the company of portraying the August breach and November incident as two separate events. In reality, LastPass could not contain the August breach. “Because of that failure, people’s data is now gone,” Palant wrote.

Source: 1Password, Wladimir Palant Via: The Verge