I have a person comment on my blog that their #LastPass account was set to 500 (in words: five hundred) PBKDF2 iterations. That’s factor 620 (!!!) less than what OWASP currently recommends.
And now that I’ve seen it I also found a Reddit comment from a person who went into their account settings and also found 500 iterations there. And another person saying the same thing on Hacker News.
So LastPass didn’t merely mess up upgrading accounts from 5,000 to 100,100 when they increased the default in 2018. They also failed to upgrade people when they went from 500 to 5,000 iterations before that. Anyone have an idea when that even was?
Sue them. Sue them to the ground. This is gross negligence.
#LastPassBreach
And now that I’ve seen it I also found a Reddit comment from a person who went into their account settings and also found 500 iterations there. And another person saying the same thing on Hacker News.
So LastPass didn’t merely mess up upgrading accounts from 5,000 to 100,100 when they increased the default in 2018. They also failed to upgrade people when they went from 500 to 5,000 iterations before that. Anyone have an idea when that even was?
Sue them. Sue them to the ground. This is gross negligence.
#LastPassBreach
Yellow Flag
•So: LastPass updated the PBKDF2 defaults three times in total. Each and every time they failed to update the security settings for existing accounts, at least for some of them. So in year 2022 we still have accounts that have the default from 2010 configured, even though it was completely inadequate even back then already.
Not just that. LastPass could do a simple database query and notify the affected users. But so far people are left to figure it out on their own. Nobody knows how many people are affected but unaware of it because the official LastPass statement essentially says “nothing to worry about, it’s all safely encrypted.”
#LastPassBreach