Cloud-Based Password Service LastPass Hacked, User Data Compromised

But cryptographic tech, like that the government wants to weaken, helps mitigate the risk to users.

C.R. Denning | 6.17.2015 2:04 PM

(marc falardeau / Flickr)

Hackers steal user data from cloud-password service LastPass — marc falardeau / Flickr

Users of cloud-based password storage service LastPass may need a NewPass after hackers allegedly infiltrated the system. "Account email addresses, password reminders, server per user salts, and authentication hashes were compromised," according to a post on the LastPass blog by CEO Joe Siegrist.

Siegrist reassured users that the company "found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed," however.

Siegrist says the company has already taken steps to mitigate the damage:

We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.

It looks like this is stacking up to be the summer of the data thief:

In May, hackers weaseled their way into the IRS's systems through the agency's web interface, accessing information on 100,000 taxpayers.
Then, earlier this month, The U.S. Office of Personnel Management (OPM) notified employees of a "cybersecurity incident" in which (allegedly Chinese) hackers stole personal, identifiable information of 4 million government workers.
Just last week, news of another OPM hack came to light, this time involving records related to intelligence and military personnel's security clearances.
And over the weekend, British intelligence proffered a claim that China and Russia acquired classified intelligence documents from the oft-maligned Edward Snowden, though at least one expert says it's possible the Chinese and Russians hacked NSA computers and stole the files on their own.

There's a key difference between these government "cybersecurity incidents" and the LastPass theft, though: the master passwords stolen from LastPass were hashed—a type of one-way, or (theoretically) indecipherable, cryptography—using what Jeremi Gosney, Ars Technica's "resident password expert" called "among the strongest he has ever seen."

Gosney wrote, "Even weak passwords are fairly secure with that level of protection…I don't even feel compelled to change my master password."

Unfortunately, the government employees, taxpayers, and intelligence operatives impacted by the government breaches can't afford to be as nonchalant.

Despite the federal government's inability to keep its own data secure, as Andrea Castillo has written for Reason, "President Obama and leaders from the National Security Agency (NSA), FBI, and Department of Homeland Security (DHS) have been pressuring the technology community to build 'backdoors' that allow government access to [citizens'] encrypted data."

Cryptographic password hashing is technically different from the end-to-end encryption the administration seeks to weaken, but with back doors built into encrypted communications, there'd be no need to crack anyone's passwords anyway.

Castillo cautions:

The prospect of intentionally weakening these techniques in an effort to crack down on shadowy cybercriminals should be as unthinkable today as a proposal to cripple real-world keys, locks, and walls to root out property thieves.

As incidences of government falling prey to hackers continue coming to light, though, a better analogy might be: The prospect of giving the government a back door into cryptographic technology should be as unthinkable as asking a neighbor whose house has been broken into four times in a row to make sure no one breaks into yours.

Start your day with Reason. Get a daily brief of the most important stories and trends every weekday morning when you subscribe to Reason Roundup.

NEXT: Derek Khanna Says Our Patent System is Failing American Innovation

Hide Comments (41)

Editor's Note: As of February 29, 2024, commenting privileges on reason.com posts are limited to Reason Plus subscribers. Past commenters are grandfathered in for a temporary period. Subscribe here to preserve your ability to comment. Your Reason Plus subscription also gives you an ad-free version of reason.com, along with full access to the digital edition and archives of Reason magazine. We request that comments be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of reason.com or Reason Foundation. We reserve the right to delete any comment and ban commenters for any reason at any time. Comments may only be edited within 5 minutes of posting. Report abuses.

Old Man With Subpoena 10 years ago

Greeeeeat. The former Mrs. Candy (now Mrs. Subpoena) just had me dump all my password info into LastPass.

Now it's personal. I will hunt them down. I will find them. I will feed them into a woodchipper.
1. Pl?ya Manhattan. 10 years ago
  
  Unlike the government breaches, they didn't actually get the goods on this one. Your Teenmoms.com password is safe for now.
  1. Old Man With Subpoena 10 years ago
    
    Whew! I was worried that my history would go into the NSA's "Spanking" file on me.
2. iCarl 10 years ago
  
  Should I panic because Lastpass was hacked?
  
  As an aside, there's plenty of boring nerdrage over the incident, but 99.9% of users are going to be more secure with a good, easy-to-use password manager like LastPass than without one.
  
  If you want to fuck around with KeePass (or worse, Password Safe) because you're leet, have at it; most people, given the option between those, LastPass, and using the same handful of weak passwords across services will choose the final option.
  1. iCarl 10 years ago
    
    (or worse, Password Safe)
    
    Actually I was thinking of pass / password store. Password Safe probably falls into "as bad as KeePass".
  2. LynchPin1477 10 years ago
    
    I like last pass. The only problem is I don't know my gmail password anymore (randomly generated), or my bank accounts. So if I can't log in to lastpass, I'm sort of screwed. But that would only really matter if I wanted to check email from a public computer, for example. Which usually isn't a good idea, anyway.
  3. MoriahJovan 10 years ago
    
    What's wrong with KeePass?
    
    There's a third-party app that lets you make an encrypted folder on Dropbox IF YOU WANT TO and store your password file there for access, but it's not on a KeePass server. But it's got that encryption and the master password on the file and the master key (optional).
    
    I was going to go with LastPass until I realized it was in the cloud by default. I didn't find KeePass to be that difficult. I've had it for 3 years.
    
    Aside: We were using Yadabytes, which was a utility from back in the early aughts (I'm a utility junkie), but you couldn't share or merge or import/export passwords. The Spousal Unit finally gave in to my nagging and started using it so we weren't constantly asking each other for newly created accounts.
    1. iCarl 10 years ago
      
      What's wrong with KeePass?
      
      one
      two
      three: third-party app
      four: on Dropbox
      
      IOW, it is not user-friendly for "normal" people.
      1. MoriahJovan 10 years ago
        
        Damn. I didn't realize I was that abnormal.
  4. kbolino 10 years ago
    
    KeePass + Dropbox is not so bad, but doing it all properly requires greater than average computer literacy on the part of the user.
    
    Really, there's a fundamental problem that I don't think will ever be solved. In order for somebody to make your life easier, you have to trust them at some level. Intentionally or otherwise, breaches of trust will inevitably occur.
Hugh Akston 10 years ago

Why would anyone store any valuable data in the cloud?
1. Pl?ya Manhattan. 10 years ago
  
  What do you have against the fappening?
2. Pro Libertate 10 years ago
  
  It's the age of social media--share everything.
3. bassjoe 10 years ago
  
  If you're using GPG Tools to keep your stuff encrypted, there shouldn't be a problem using and sharing over the cloud.
Judge Chipper 10 years ago

OT, kind of, guess which egregious bastard said this:

If somebody would come up to me and say "Look, here's the thing: This Snowden thing is going to be a nightmare for you guys for about two years. And when we get all done with it, what you're going to be required to do is that little 215 program about American telephony metadata ? and by the way, you can still have access to it, but you got to go to the court and get access to it from the companies, rather than keep it to yourself" ? I go: "And this is it after two years? Cool!"
R C Woodchipper 10 years ago

Jeebus. When are people going to comprende that "cloud-based" is just marketing-ese for "someone else's server, which you know nothing about"?
1. Paul. 10 years ago
  
  Been saying it for years. If the data isn't on your hard drive or other local storage medium, it doesn't belong to you.
  1. Detroit Linguist 10 years ago
    
    Does this include your bank account data? What about your cellphone account and all your text messages? What about your email system login information, and all your email messages? All of that is stored 'in the cloud' and always has been. How could you communicate securely with anyone otherwise? Secure communication requires two ends and a middle man to manage the encrypting/decrypting keys.
    
    Of course there's a risk. I use Lastpass, and I changed my master password last night. But Lastpass enables me to have twenty different unguessable passwords even I don't know, which makes me more secure than I would be if I used the same, easily memorized password on twenty different sites. All security is a trade-off.
    1. R C Woodchipper 10 years ago
      
      All of that is stored 'in the cloud' and always has been.
      
      Yup. None of it is your data.
      
      What's amazing about the cloud is they somehow convinced people to move data off of their owned and controlled devices and onto servers that they know nothing about.
2. TChipperman 10 years ago
  
  More importantly, when are people going to realize that nothing online is really all that safe and/or privacy protected?
  
  The shit people post on FB and Instagram and Twitter etc. sometimes just blows me away.
  
  So you thought your boss wouldn't read your FB page? Well that was stupid now wasn't it.
  
  You didn't want that bikini picture getting passed around to all your friends friends? Then why DID YOU POST IT ON A SOCIAL MEDIA SITE??
  
  People is dumb.
3. Jerry on the sea 10 years ago
  
  The Internet of Cloud Things 2.0.
4. Pro Libertate 10 years ago
  
  Have you reviewed any cloud agreements? Quite often, the provider will reserve the right to locate servers overseas. Lovely.
  1. R C Woodchipper 10 years ago
    
    Quite often, the provider will reserve the right to locate servers overseas.
    
    Yeah, that's on our shortlist of deal-killers.
    
    Anybody we use has to swear up and down that our data doesn't go overseas. Period.
    
    And we audit. Oh, my, yes, do we audit.
    1. Pro Libertate 10 years ago
      
      Same with us. Screw that nonsense.
SusanM 10 years ago

The Brits are officially on the case

https://youtu.be/miPa9Yg7zBI?t=37
bassjoe 10 years ago

Cryptographic backdoors are dangerous and INCREDIBLY stupid. Even assuming the government can protect the backdoor master key (extremely unlikely), it makes it that much easier for hackers/crackers to brute-force their way into encrypted information. The backdoor weakens the entire encryption scheme by adding a level of predictability to it.
Loki 10 years ago

Why the fuck would anyone store their passwords in the cloud? That might be the most retarded thing I've read this week.
1. Detroit Linguist 10 years ago
  
  Most security professionals I know (including Bruce Schneier and a number of CISO's I work with) respectfully disagree.
2. iCarl 10 years ago
  
  We're not pasting them into a Google Doc, Loki. They're encrypted client-side.
  
  It's still an added risk over storing them locally, sure, but it's not crazy.
3. Judge Chipper 10 years ago
  
  No need to have it in the cloud, use KeePass on both your desktop and phone, problem solved.
  
  Seriously do not understand why anyone would put anything on some unknown, possibly compromised server when they can just keep it local.
  
  I mean, a password file is one of the smallest files in existence, even if your passwords are ginormous, like 100-char Spock-type passwords, and there is surely enough space on your phone or laptop to store that, and access through a master key.
  1. mad.casual 10 years ago
    
    there is surely enough space on your phone or laptop to store that
    
    I keep mine in a USB drive on my keychain. 8 GB of passwords in the palm of your hand for < $20. If you count one in a slick at home, $40.
  2. Muhammad Finkelstein (widget) 10 years ago
    
    and access through a master key.
    
    Aren't you just kicking the can down the street? Where do you store the master key? In you head, I presume.
4. DaveSs 10 years ago
  
  Because its convenient and significantly more secure than the way most people manage their passwords (which is to use the same one everywhere)
  
  I have over 80 sites in my vault.
  Each one is unique
  Each one is very complex
  Encryption and Decryption of your Username/PW and Vault is done on the client device, so plain text data never even enters their servers. I doubt LP could decrypt your user password vault even if they wanted to.
  
  In theory you could use something like KeePass to do almost the same thing, but its a PITA compared to LastPass when you consider the steps necessary to maintain backups, and to keep multiple devices all synced to the same password vault.
  1. kbolino 10 years ago
    
    I don't know how LastPass manages their software, but if they produce the client application then it just takes one rogue (or government-mandated) automatic update to break whatever promises are made with regard to the protection of your personal information.
    
    This is no less true of KeePass, although it's easier to detect a program that connects to the Internet when it's not supposed to than it is to monitor the protocol traffic of a program that is supposed to connect to the Internet.
Rhywun 10 years ago

I think we would be a lot better off behaving as if everything we put online is wide-open for all to see - because, in effect, it is. The hoops we all jump through ("your password must contain at least one from each of these 4 categories...", "you must change your password every 30 days...") are a complete waste of time because nobody who isn't a superhuman can memorize dozens of different, unguessable passwords that change all the time.

Until we develop some technology that doesn't exist yet - this is all theater.
1. Detroit Linguist 10 years ago
  
  That's exactly what password managers are for. They allow me to have dozens of unguessable passwords that change all the time (well, every few months, anyway). And yes, there's a risk that Lastpass will get hacked again. But all of life is filled with risks, and on balance I prefer using a cloud-based password manager to trying to memorize dozens of complex passwords.
  
  And you can't stay away from 'the cloud' unless you stay away from computers. Again, it's a balancing act. As Schneier keeps saying, all security is a trade-off.
  1. Rhywun 10 years ago
    
    That's exactly what password managers are for
    
    Yeah, and then you're left with one password that "guards" all your other passwords. I use them for convenience but I'm not thinking it's in any way secure.
    1. Muhammad Finkelstein (widget) 10 years ago
      
      Thank You, Rhywun.
    2. DaveSs 10 years ago
      
      The difference is
      
      One strong password, protected by strong encryption
      
      Vs what a lot of people still do out of convenience which is use the same password everywhere.
      Except if you do that, it doesn't really matter how strong your password is because hackers need only to find reasonably popular systems with weak security, and exploit them.
Muhammad Finkelstein (widget) 10 years ago

My little rant about passwords is that so many commercial websites require a registration with a username and password just to browse their product offerings with the price included, or access their tech support forum. For no reason I can come up with. And then there is the problem about what passwords are acceptable. The password "password" has 8 characters, but no numbers. "password1" fixes that, but you need at least one upper case character. "Password1" fixes that, but you need at least one special character. "Password_1" fixes that, until some site tells you it's too long, or special characters are not supported. I have my 8 character commercial password that works on about 90% of web sites. That seems to be the limit.

IMHO, small commercial websites should always offer a Paypal option. It's a double ding from Paypal and the CC company but it's relatively frictionless. When it comes to authentication, less is better. Too many password being stored in too many places does not help.
curtrangecroft 10 years ago

I make up to $90 an hour working from my home. My story is that I quit working at Walmart to work online and with a little effort I easily bring in around $40h to $86h? Someone was good to me by sharing this link with me, so now i am hoping i could help someone else out there by sharing this link... Try it, you won't regret it!......
http://www.freelance-cash.com

Please log in to post comments

Cloud-Based Password Service LastPass Hacked, User Data Compromised

But cryptographic tech, like that the government wants to weaken, helps mitigate the risk to users.

Latest

Rise of the Samurai Lawyers

Marco Rubio Says He's Revoked 300 Student Visas Over Campus Activism

Pam Bondi Aims To Revive a Moribund Legal Process for Restoring Gun Rights

Trump Is Sabotaging His 'Drill, Baby, Drill' Agenda

How Backpage Became MILFS.com

Recommended

Login Form