I don't buy LastPass' statement that this breach of master passwords was due to credential stuffing. If that were the case, then LastPass users who feel victim would have been using their master passwords for something else. The victims who posted in the HN thread specifically said they did not do that.
#cososec
LastPass Says It Didn’t Leak Your Master Password
https://www.howtogeek.com/776450/lastpass-says-it-didnt-leak-your-master-password/
It's not even possible for LastPass to leak the master passwords, they don't store them.
@mcfate
Agreed, but their explanation doesn't make sense to me either.
It doesn't make sense to you if you take a bunch of randos on Hacker News at their word.
I don't.
If LastPass never had possession of the passwords — and they didn't — how could they have "leaked" them? And why has this only hit a handful of LastPass users?
I'm guessing these people were either sloppy, chose crappy passwords, or both.
They should set up 2FA on their LastPass account.
I mean, we've got some numpty on that thread claiming that there's a LastPass forum that you log into using your vault credentials, which is rank nonsense.
@mcfate
You did read that I said I agreed that LastPass didn't leak anything, yes?
I did, yet you insist that you "don't buy their explanation" about the purported "leakage" of passwords you agree they never possessed.
I get that you have an animus towards an assortment of organizations, but you have a tendency to let it affect your thinking.
This is, I believe, one of those moments. I mean, feel free to explain to me why you place greater weight on the testimony of some random posters on HN over LastPass, but I don't see it having a real foundation.
If we agree that LastPass didn't leak anything, then the available explanations seem to be:
— These dudes on HN are lying about not reusing passwords
— These dudes on HN used trivial, easily-guessed passwords
— These dudes on HN are simply full of shit, as is at least the person posting horsecrap claims about LastPass forums
Does that sum it up?
I note that none of these explanations involve LastPass telling lies to anyone about anything.
@mcfate
I have no animus whatsoever towards LastPass. I personally use Bitwarden, but from everything I've read, LastPass is a solid company.
Believe what you want about my thinking. I'm done discussing this with you.
Okey-dokey. Still no explanation of what you "don't buy", or why, which is all I was actually wondering about, but whatever. Shika ga nai yo.
Me, I "don't buy" the HN posting, because HN is about as full of nonsense as Slashdot is.
¯\_(ツ)_/¯
"But while LastPass claims the recent account compromises was the result of a credential stuffing attack, after this article went live, security researcher Bob Diachenko suggested that this might not be necessarily true, and that hackers simply used a database that leaked from a malware operation, which appears to have also contained LastPass account master passwords."
https://therecord.media/lastpass-confirms-credential-stuffing-attack-against-some-of-its-users/
https://twitter.com/MayhemDayOne/status/1475897344537374722