 Tom here from One Systems and in August of 2022, LastPass had a security incident. We have more details here that was released on December 22nd of 2022 about the incident. Now they stole some source code and that was a little bit of cause of concern, not because of the source code being out there, but because that means they were pretty deep into the system. Them being deep in the system also led them to some other information, some technical details of their infrastructure. And we know now here and at December 22nd release that they got a copy of the vaults. Now, before you go into full panic, let's talk about what that means. Now, normally if you want to attack someone's LastPass account, you get their username, which is general leader email, and then you're going to try to log in. If they have two factor, there's another stumbling block you have, then there's rate limiting so you can only guess so many passwords against the master password. But what if you remove the rate limiting and the two factor? Well, that's what happens when you have the vault. So if I have that encrypted blob, then we have the ability to just try dictionary attacks. Dictionary attacks are the use of common passwords or commonly used words. And unfortunately, some people may not have a strong master password. Now, if you do have a strong master password with some non-common words and maybe some exclamation points and lots of other different, you know, pound signs and all the different characters, now you've increased the complexity and lessened the likelihood that someone will be able to crack that password. And because, as I said, the encryption they didn't, they use is quite good. That means they didn't get much in terms of that vault. So you're protected under those circumstances as something to consider there. Now, what else did they get? They did get a few other things. And a threat actor was able to copy names and user names, billing addresses, email addresses, telephone numbers, IP addresses, right, which you access last past service. Now, all this information, of course, is important for billing. So obviously you can't really encrypt the billing information. I wouldn't really understand how to send you the bill. The other part though, gets a little bit fuzzier for people that had noticed they said they copied website URLs. And I wanted to talk about how that happened and why zero knowledge is zero knowledge of usernames and passwords, but not zero knowledge of what websites are stored in there. And for that, we're going to reference this write up that was from actually January 18 of 2017. Last pass does not encrypt everything in your vault. We scroll down here. And this was a security researcher who said, Hey, this is interesting. They did a redesign in 2017 or got these fancy icons in there. But how are they figuring out what icons belong in there? What's the method they use? And, you know, you can hit that crazy hacker button F 12. And F 12 you can go through and I have a video link down below to see what data is actually sent to password manager. So I've covered how to do this a little more detail. But the bad news is for last pass specifically, is they're storing the URL as just a unencrypted hexadecimal. Now, the hexadecimal is easily reversed. And they pointed out that that's the accounts.google.com service login. But don't worry, your username and password were properly encrypted. So there's some good news. As I said, it's not end of the world here. But that little bit of information can lead to, well, this security breach and people having more information about you. It's also kind of not zero knowledge. As the researcher points out here, when regards to last pass, the storing of this information, they also bring up the privacy concerns of last pass, having the information of each website that you are storing in there. And if they don't know username password, they now have more information that, well, could be sold. Or like I said, become a privacy concern. And of course, this is the worst part of it is, if you're using something that uses HTTP basic auth username and password might be stored in there. And one more thing that's even worse is a reset token could be stored in there. And I know reset tokens should be short lasted, you know, lasting maybe 24 hours. But that is on a well built security conscious website. Not all websites are well built to security conscious. So if that URL contained a password reset methodology token that was static because, well, some company decided that would be the way they would put their website together. Now you have that potential to pull that data out because URLs were taken. And well, create a security concern. So if you're asking the question though, and this is, I know what was probably in the comments down below was, should I keep using last pass? I'm just here to give you all the data. I moved away from last pass over to Bitwarden quite a while ago. I've been really happy with that move. I like Bitwarden. I like the fact that you can self host it. I like the fact that they encrypt all the URLs. And I don't have a problem with it. So I moved a number of years ago. I'm still happy with that move here in 2022 going into 2023. I'm just here to give you some data. I'll let you ultimately make the decision of where you want to go. By the way, I have some Bitwarden reviews that you can find in the links down below. So my opinion is yes, go with Bitwarden. It's up to you if you want to stay with last pass, but this security incident is kind of scary. I was kind of thinking though, maybe they should go through some rebranding, maybe call it lost pass. Let me know with some other ideas you might have in the comments down below or what your thoughts are on this. I'll leave a link to the security report done by last pass. I do think them for being transparent on this, but transparent or not, not encrypting the URLs and somehow someone getting a copy of the backups. I kind of want to know more details. I hope more details come about because if the data was stolen in August, does that mean they've had it since August and have been iterating against these? Also changing your last pass password may not do much because they already have a copy of the vault of whenever they install that vault. So that's something else to consider, something else to think about. Anyways, leave your thoughts and comments down below or head over to my forums for a more in-depth discussion.