Cloud-Based Password Service LastPass Hacked, User Data Compromised

But cryptographic tech, like that the government wants to weaken, helps mitigate the risk to users.


Hackers steal user data from cloud-password service LastPass
marc falardeau / Flickr

Users of cloud-based password storage service LastPass may need a NewPass after hackers allegedly infiltrated the system. "Account email addresses, password reminders, server per user salts, and authentication hashes were compromised," according to a post on the LastPass blog by CEO Joe Siegrist.

Siegrist reassured users that the company "found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed," however.

Siegrist says the company has already taken steps to mitigate the damage:

We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.

It looks like this is stacking up to be the summer of the data thief:

There's a key difference between these government "cybersecurity incidents" and the LastPass theft, though: the master passwords stolen from LastPass were hashed—a type of one-way, or (theoretically) indecipherable, cryptography—using what Jeremi Gosney, Ars Technica's "resident password expert" called "among the strongest he has ever seen."

Gosney wrote, "Even weak passwords are fairly secure with that level of protection…I don't even feel compelled to change my master password."

Unfortunately, the government employees, taxpayers, and intelligence operatives impacted by the government breaches can't afford to be as nonchalant.

Despite the federal government's inability to keep its own data secure, as Andrea Castillo has written for Reason, "President Obama and leaders from the National Security Agency (NSA), FBI, and Department of Homeland Security (DHS) have been pressuring the technology community to build 'backdoors' that allow government access to [citizens'] encrypted data."

Cryptographic password hashing is technically different from the end-to-end encryption the administration seeks to weaken, but with back doors built into encrypted communications, there'd be no need to crack anyone's passwords anyway.

Castillo cautions:

The prospect of intentionally weakening these techniques in an effort to crack down on shadowy cybercriminals should be as unthinkable today as a proposal to cripple real-world keys, locks, and walls to root out property thieves.

As incidences of government falling prey to hackers continue coming to light, though, a better analogy might be: The prospect of giving the government a back door into cryptographic technology should be as unthinkable as asking a neighbor whose house has been broken into four times in a row to make sure no one breaks into yours.