Cloud-Based Password Service LastPass Hacked, User Data Compromised

But cryptographic tech, like that the government wants to weaken, helps mitigate the risk to users.


Hackers steal user data from cloud-password service LastPass
marc falardeau / Flickr

Users of cloud-based password storage service LastPass may need a NewPass after hackers allegedly infiltrated the system. "Account email addresses, password reminders, server per user salts, and authentication hashes were compromised," according to a post on the LastPass blog by CEO Joe Siegrist.

Siegrist reassured users that the company "found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed," however.

Siegrist says the company has already taken steps to mitigate the damage:

We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.

It looks like this is stacking up to be the summer of the data thief:

There's a key difference between these government "cybersecurity incidents" and the LastPass theft, though: the master passwords stolen from LastPass were hashed—a type of one-way, or (theoretically) indecipherable, cryptography—using what Jeremi Gosney, Ars Technica's "resident password expert" called "among the strongest he has ever seen."

Gosney wrote, "Even weak passwords are fairly secure with that level of protection…I don't even feel compelled to change my master password."

Unfortunately, the government employees, taxpayers, and intelligence operatives impacted by the government breaches can't afford to be as nonchalant.

Despite the federal government's inability to keep its own data secure, as Andrea Castillo has written for Reason, "President Obama and leaders from the National Security Agency (NSA), FBI, and Department of Homeland Security (DHS) have been pressuring the technology community to build 'backdoors' that allow government access to [citizens'] encrypted data."

Cryptographic password hashing is technically different from the end-to-end encryption the administration seeks to weaken, but with back doors built into encrypted communications, there'd be no need to crack anyone's passwords anyway.

Castillo cautions:

The prospect of intentionally weakening these techniques in an effort to crack down on shadowy cybercriminals should be as unthinkable today as a proposal to cripple real-world keys, locks, and walls to root out property thieves.

As incidences of government falling prey to hackers continue coming to light, though, a better analogy might be: The prospect of giving the government a back door into cryptographic technology should be as unthinkable as asking a neighbor whose house has been broken into four times in a row to make sure no one breaks into yours.

NEXT: Derek Khanna Says Our Patent System is Failing American Innovation

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Greeeeeat. The former Mrs. Candy (now Mrs. Subpoena) just had me dump all my password info into LastPass.

    Now it’s personal. I will hunt them down. I will find them. I will feed them into a woodchipper.

    1. Unlike the government breaches, they didn’t actually get the goods on this one. Your Teenmoms.com password is safe for now.

      1. Whew! I was worried that my history would go into the NSA’s “Spanking” file on me.

    2. Should I panic because Lastpass was hacked?

      As an aside, there’s plenty of boring nerdrage over the incident, but 99.9% of users are going to be more secure with a good, easy-to-use password manager like LastPass than without one.

      If you want to fuck around with KeePass (or worse, Password Safe) because you’re leet, have at it; most people, given the option between those, LastPass, and using the same handful of weak passwords across services will choose the final option.

      1. (or worse, Password Safe)

        Actually I was thinking of pass / password store. Password Safe probably falls into “as bad as KeePass”.

      2. I like last pass. The only problem is I don’t know my gmail password anymore (randomly generated), or my bank accounts. So if I can’t log in to lastpass, I’m sort of screwed. But that would only really matter if I wanted to check email from a public computer, for example. Which usually isn’t a good idea, anyway.

      3. What’s wrong with KeePass?

        There’s a third-party app that lets you make an encrypted folder on Dropbox IF YOU WANT TO and store your password file there for access, but it’s not on a KeePass server. But it’s got that encryption and the master password on the file and the master key (optional).

        I was going to go with LastPass until I realized it was in the cloud by default. I didn’t find KeePass to be that difficult. I’ve had it for 3 years.

        Aside: We were using Yadabytes, which was a utility from back in the early aughts (I’m a utility junkie), but you couldn’t share or merge or import/export passwords. The Spousal Unit finally gave in to my nagging and started using it so we weren’t constantly asking each other for newly created accounts.

        1. What’s wrong with KeePass?

          three: third-party app
          four: on Dropbox

          IOW, it is not user-friendly for “normal” people.

          1. Damn. I didn’t realize I was that abnormal.

      4. KeePass + Dropbox is not so bad, but doing it all properly requires greater than average computer literacy on the part of the user.

        Really, there’s a fundamental problem that I don’t think will ever be solved. In order for somebody to make your life easier, you have to trust them at some level. Intentionally or otherwise, breaches of trust will inevitably occur.

  2. Why would anyone store any valuable data in the cloud?

    1. What do you have against the fappening?

    2. It’s the age of social media–share everything.

    3. If you’re using GPG Tools to keep your stuff encrypted, there shouldn’t be a problem using and sharing over the cloud.

  3. OT, kind of, guess which egregious bastard said this:

    If somebody would come up to me and say “Look, here’s the thing: This Snowden thing is going to be a nightmare for you guys for about two years. And when we get all done with it, what you’re going to be required to do is that little 215 program about American telephony metadata ? and by the way, you can still have access to it, but you got to go to the court and get access to it from the companies, rather than keep it to yourself” ? I go: “And this is it after two years? Cool!”

  4. Jeebus. When are people going to comprende that “cloud-based” is just marketing-ese for “someone else’s server, which you know nothing about”?

    1. Been saying it for years. If the data isn’t on your hard drive or other local storage medium, it doesn’t belong to you.

      1. Does this include your bank account data? What about your cellphone account and all your text messages? What about your email system login information, and all your email messages? All of that is stored ‘in the cloud’ and always has been. How could you communicate securely with anyone otherwise? Secure communication requires two ends and a middle man to manage the encrypting/decrypting keys.

        Of course there’s a risk. I use Lastpass, and I changed my master password last night. But Lastpass enables me to have twenty different unguessable passwords even I don’t know, which makes me more secure than I would be if I used the same, easily memorized password on twenty different sites. All security is a trade-off.

        1. All of that is stored ‘in the cloud’ and always has been.

          Yup. None of it is your data.

          What’s amazing about the cloud is they somehow convinced people to move data off of their owned and controlled devices and onto servers that they know nothing about.

    2. More importantly, when are people going to realize that nothing online is really all that safe and/or privacy protected?

      The shit people post on FB and Instagram and Twitter etc. sometimes just blows me away.

      So you thought your boss wouldn’t read your FB page? Well that was stupid now wasn’t it.

      You didn’t want that bikini picture getting passed around to all your friends friends? Then why DID YOU POST IT ON A SOCIAL MEDIA SITE??

      People is dumb.

    3. The Internet of Cloud Things 2.0.

    4. Have you reviewed any cloud agreements? Quite often, the provider will reserve the right to locate servers overseas. Lovely.

      1. Quite often, the provider will reserve the right to locate servers overseas.

        Yeah, that’s on our shortlist of deal-killers.

        Anybody we use has to swear up and down that our data doesn’t go overseas. Period.

        And we audit. Oh, my, yes, do we audit.

        1. Same with us. Screw that nonsense.

  5. Cryptographic backdoors are dangerous and INCREDIBLY stupid. Even assuming the government can protect the backdoor master key (extremely unlikely), it makes it that much easier for hackers/crackers to brute-force their way into encrypted information. The backdoor weakens the entire encryption scheme by adding a level of predictability to it.

  6. Why the fuck would anyone store their passwords in the cloud? That might be the most retarded thing I’ve read this week.

    1. Most security professionals I know (including Bruce Schneier and a number of CISO’s I work with) respectfully disagree.

    2. We’re not pasting them into a Google Doc, Loki. They’re encrypted client-side.

      It’s still an added risk over storing them locally, sure, but it’s not crazy.

    3. No need to have it in the cloud, use KeePass on both your desktop and phone, problem solved.

      Seriously do not understand why anyone would put anything on some unknown, possibly compromised server when they can just keep it local.

      I mean, a password file is one of the smallest files in existence, even if your passwords are ginormous, like 100-char Spock-type passwords, and there is surely enough space on your phone or laptop to store that, and access through a master key.

      1. there is surely enough space on your phone or laptop to store that

        I keep mine in a USB drive on my keychain. 8 GB of passwords in the palm of your hand for < $20. If you count one in a slick at home, $40.

      2. and access through a master key.

        Aren’t you just kicking the can down the street? Where do you store the master key? In you head, I presume.

    4. Because its convenient and significantly more secure than the way most people manage their passwords (which is to use the same one everywhere)

      I have over 80 sites in my vault.
      Each one is unique
      Each one is very complex
      Encryption and Decryption of your Username/PW and Vault is done on the client device, so plain text data never even enters their servers. I doubt LP could decrypt your user password vault even if they wanted to.

      In theory you could use something like KeePass to do almost the same thing, but its a PITA compared to LastPass when you consider the steps necessary to maintain backups, and to keep multiple devices all synced to the same password vault.

      1. I don’t know how LastPass manages their software, but if they produce the client application then it just takes one rogue (or government-mandated) automatic update to break whatever promises are made with regard to the protection of your personal information.

        This is no less true of KeePass, although it’s easier to detect a program that connects to the Internet when it’s not supposed to than it is to monitor the protocol traffic of a program that is supposed to connect to the Internet.

  7. I think we would be a lot better off behaving as if everything we put online is wide-open for all to see – because, in effect, it is. The hoops we all jump through (“your password must contain at least one from each of these 4 categories…”, “you must change your password every 30 days…”) are a complete waste of time because nobody who isn’t a superhuman can memorize dozens of different, unguessable passwords that change all the time.

    Until we develop some technology that doesn’t exist yet – this is all theater.

    1. That’s exactly what password managers are for. They allow me to have dozens of unguessable passwords that change all the time (well, every few months, anyway). And yes, there’s a risk that Lastpass will get hacked again. But all of life is filled with risks, and on balance I prefer using a cloud-based password manager to trying to memorize dozens of complex passwords.

      And you can’t stay away from ‘the cloud’ unless you stay away from computers. Again, it’s a balancing act. As Schneier keeps saying, all security is a trade-off.

      1. That’s exactly what password managers are for

        Yeah, and then you’re left with one password that “guards” all your other passwords. I use them for convenience but I’m not thinking it’s in any way secure.

        1. Thank You, Rhywun.

        2. The difference is

          One strong password, protected by strong encryption

          Vs what a lot of people still do out of convenience which is use the same password everywhere.
          Except if you do that, it doesn’t really matter how strong your password is because hackers need only to find reasonably popular systems with weak security, and exploit them.

  8. My little rant about passwords is that so many commercial websites require a registration with a username and password just to browse their product offerings with the price included, or access their tech support forum. For no reason I can come up with. And then there is the problem about what passwords are acceptable. The password “password” has 8 characters, but no numbers. “password1” fixes that, but you need at least one upper case character. “Password1” fixes that, but you need at least one special character. “Password_1” fixes that, until some site tells you it’s too long, or special characters are not supported. I have my 8 character commercial password that works on about 90% of web sites. That seems to be the limit.

    IMHO, small commercial websites should always offer a Paypal option. It’s a double ding from Paypal and the CC company but it’s relatively frictionless. When it comes to authentication, less is better. Too many password being stored in too many places does not help.

  9. I make up to $90 an hour working from my home. My story is that I quit working at Walmart to work online and with a little effort I easily bring in around $40h to $86h? Someone was good to me by sharing this link with me, so now i am hoping i could help someone else out there by sharing this link… Try it, you won’t regret it!……

Please to post comments

Comments are closed.