Cloud-Based Password Service LastPass Hacked, User Data Compromised

Users of cloud-based password storage service LastPass may need a NewPass after hackers allegedly infiltrated the system. "Account email addresses, password reminders, server per user salts, and authentication hashes were compromised," according to a post on the LastPass blog by CEO Joe Siegrist.

Siegrist reassured users that the company "found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed," however.

Siegrist says the company has already taken steps to mitigate the damage:

We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.

It looks like this is stacking up to be the summer of the data thief:

• In May, hackers weaseled their way into the IRS's systems through the agency's web interface, accessing information on 100,000 taxpayers.
• Then, earlier this month, The U.S. Office of Personnel Management (OPM) notified employees of a "cybersecurity incident" in which (allegedly Chinese) hackers stole personal, identifiable information of 4 million government workers.
• Just last week, news of another OPM hack came to light, this time involving records related to intelligence and military personnel's security clearances.
• And over the weekend, British intelligence proffered a claim that China and Russia acquired classified intelligence documents from the oft-maligned Edward Snowden, though at least one expert says it's possible the Chinese and Russians hacked NSA computers and stole the files on their own.

There's a key difference between these government "cybersecurity incidents" and the LastPass theft, though: the master passwords stolen from LastPass were hashed—a type of one-way, or (theoretically) indecipherable, cryptography—using what Jeremi Gosney, Ars Technica's "resident password expert" called "among the strongest he has ever seen."

Gosney wrote, "Even weak passwords are fairly secure with that level of protection…I don't even feel compelled to change my master password."

Unfortunately, the government employees, taxpayers, and intelligence operatives impacted by the government breaches can't afford to be as nonchalant.

Despite the federal government's inability to keep its own data secure, as Andrea Castillo has written for Reason, "President Obama and leaders from the National Security Agency (NSA), FBI, and Department of Homeland Security (DHS) have been pressuring the technology community to build 'backdoors' that allow government access to [citizens'] encrypted data."

Cryptographic password hashing is technically different from the end-to-end encryption the administration seeks to weaken, but with back doors built into encrypted communications, there'd be no need to crack anyone's passwords anyway.

Castillo cautions:

The prospect of intentionally weakening these techniques in an effort to crack down on shadowy cybercriminals should be as unthinkable today as a proposal to cripple real-world keys, locks, and walls to root out property thieves.

As incidences of government falling prey to hackers continue coming to light, though, a better analogy might be: The prospect of giving the government a back door into cryptographic technology should be as unthinkable as asking a neighbor whose house has been broken into four times in a row to make sure no one breaks into yours.