LastPass attacker stole password vault data, showing Web2's limitations

Published at: Dec. 23, 2022

Password management service LastPass was hacked in August 2022, and the attacker stole users’ encrypted passwords, according to a Dec. 23 statement from the company. This means that the attacker may be able to crack some website passwords of LastPass users through brute force guessing.

Notice of Recent Security Incident - The LastPass Blog#lastpasshack #hack #lastpass #infosec https://t.co/sQALfnpOTy

— Thomas Zickell (@thomaszickell) December 23, 2022

LastPass first disclosed the breach in August 2022 but at that time, it appeared that the attacker had only obtained source code and technical information, not any customer data. However, the company has investigated and discovered that the attacker used this technical information to attack another employee’s device, which was then used to obtain keys to customer data stored in a cloud storage system.

As a result, unencrypted customer metadata has been revealed to the attacker, including “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

In addition, some customers’ encrypted vaults were stolen. These vaults contain the website passwords that each user stores with the LastPass service. Luckily, the vaults are encrypted with a Master Password, which should prevent the attacker from being able to read them.

The statement from LastPass emphasizes that the service uses state-of-the-art encryption to make it very difficult for an attacker to read vault files without knowing the Master Password, stating:

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”

Even so, LastPass admits that if a customer has used a weak Master Password, the attacker may be able to use brute force to guess this password, allowing them to decrypt the vault and gain all of the customers’ website passwords, as LastPass explains:

“it is important to note that if your master password does not make use of the [best practices the company recommends], then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.”

Can password manager hacks be eliminated with Web3?

The LastPass exploit illustrates a claim that Web3 developers have been making for years: that the traditional username and password login system needs to be scrapped in favor of blockchain wallet logins.

According to advocates for crypto wallet login, traditional password logins are fundamentally insecure because they require hashes of passwords to be kept on cloud servers. If these hashes are stolen, they can be cracked. In addition, if a user relies on the same password for multiple websites, one stolen password can lead to a breach of all others. On the other hand, most users can’t remember multiple passwords for different websites.

To solve this problem, password management services like LastPass have been invented. But these also rely on cloud services to store encrypted password vaults. If an attacker manages to obtain the password vault from the password manager service, they may be able to crack the vault and obtain all of the user’s passwords.

Web3 applications solve the problem in a different way. They use browser extension wallets like Metamask or Trustwallet to sign in using a cryptographic signature, eliminating the need for a password to be stored in the cloud.

But so far, this method has only been standardized for decentralized applications. Traditional apps that require a central server don’t currently have an agreed-upon standard for how to use crypto wallets for logins.

Related: Facebook is fined 265M euros for leaking customer data

However, a recent Ethereum Improvement Proposal (EIP) aims to remedy this situation. Called “EIP-4361,” the proposal attempts to provide a universal standard for web logins that works for both centralized and decentralized applications.

If this standard is agreed upon and implemented by the Web3 industry, its proponents hope that the entire world wide web will eventually get rid of password logins altogether, eliminating the risk of password manager breaches like the one that has happened at LastPass.

Tags
Related Posts
Your crypto wallet is the key to your Web3 identity
Digital identity has been a fraught subject since the earliest days of the internet. Web2 bridged the gap between people’s offline lives, online identities, and creative and consumer habits, which has given way to a thoroughly integrated internet experience designed to be as personalized and targeted as possible. As a new phase of virtual interaction and digital identity appears on the horizon — one even more interconnected than Web2 — we need to rethink personalization and ownership with an eye to what did and didn’t work in the world of Web2. While there is no blueprint for the Web3 identity …
Adoption / July 10, 2022
Organizations look toward multiparty computation to advance Web3
Protecting user data and private keys is crucial as Web3 advances. Yet, the number of hacks that have occurred within the Web3 space in 2022 alone has been monumental, proving that additional security measures, along with greater forms of decentralization, are still required. As this becomes obvious, a number of organizations have started leveraging multiparty computation, or MPC, to ensure privacy and confidentiality for Web3 platforms. MPC is a cryptographic protocol that utilizes an algorithm across multiple parties. Andrew Masanto, co-founder of Nillion – a Web3 startup specializing in decentralized computation – told Cointelegraph that MPC is unique because no …
Decentralization / Aug. 16, 2022
How Not to Lose Your Coins in 2020: Alternative Recovery Methods
When Peter Schiff claimed that his wallet lost his Bitcoin (BTC), many in the crypto community were skeptical. While some believe that Schiff simply lost his password, others, like Ethereum co-founder Vitalik Buterin, highlighted that losing private keys remains an important issue for cryptocurrency users. Being your own bank is hard Keeping custody of your own cryptocurrency is quite complex, especially for non-tech savvy users. Most wallets require the user to write down the private key before accessing the wallet. Storing the key can be done by simply writing it down on a piece of paper, a method that is …
Adoption / Jan. 21, 2020
Solana integrates Web3Auth to lower DApp barrier-to-entry
Solana Labs and Web3Auth have announced a collaborative digital wallet initiative designed to eliminate the prerequisites for seed phrases in cryptocurrency interaction, and in turn, streamline a presently tedious and complex process to drive consumer adoption in the Web3 sphere. The Solana Torus Wallet is a non-custodial product that enables users to access all decentralized applications (DApps) and associated wallets within the Solana ecosystem. Upon creation of a cryptocurrency wallet, a user has required the record and remember a seed phrase; a random computer-generated list of words, typically twelve to twenty-four, which acts as the wallet holders master key to …
Adoption / Feb. 3, 2022
Uniswap DAO debate shows devs still struggle to secure cross-chain bridges
Over $2.5 billion was stolen in cross-chain crypto bridge hacks from 2021 to 2022, according to a report by Token Terminal. But, despite several attempts by developers to improve bridge security, a debate from December 2022 to January 2023 on the Uniswap DAO forums has laid bare security weaknesses that continue to exist in blockchain bridges. In the past, bridges like Ronin and Horizon used multisig wallets to ensure that only bridge validators could authorize withdrawals. For example, Ronin required five out of nine signatures to withdraw, whereas Horizon required two out of five. But attackers figured out how to …
Blockchain / Feb. 26, 2023