The LastPass statement on their latest breach is full of omissions, half-truths and outright lies. I’m providing the necessary context for some of their claims.

The recent (2022) compromise of Lastpass included email addresses, home addresses, names, and encrypted customer vaults. In this post I will demonstrate how attackers may leverage tools like Hashcat to crack an encrypted vault with a weak password.

We are working diligently to understand the scope of the incident and identify what specific information has been accessed.

LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022. The company added that, once in, the threat actors also managed to access customer data stored in the compromised storage service.

We have no evidence that this incident involved any access to customer data or encrypted password vaults. Our products and services are operating normally.

We have no evidence that this incident involved any access to customer data or encrypted password vaults. Our products and services are operating normally.