LastPass attacker stole password vault data, showing Web2’s limitations

by Arthur · December 23, 2022

Password management service LastPass was hacked in August 2022, and the attacker stole users’ encrypted passwords, according to a Dec. 23 company statement. This means that the attacker may be able to crack some website passwords of LastPass users through brute force guessing.

Recent Security Incident Alert – The LastPass Blog#lastpasshack #hack #lastpass #infosec https://t.co/sQALfnpOTy

— Thomas Zickell (@thomaszickell) 23 December 2022

LastPass first disclosed the breach in August 2022, but at the time it appeared the attacker had only obtained source code and technical information, not customer data. However, the company has investigated and discovered that the attacker used this technical information to attack another employee’s device, which was then used to obtain keys to customer data stored in a cloud storage system.

As a result, unencrypted customer metadata has been exposed to the attacker, including “company names, end user names, billing addresses, email addresses, phone numbers, and the IP addresses from which customers accessed the LastPass service.”

In addition, some customers’ encrypted vaults were stolen. These vaults contain the website passwords that each user stores with the LastPass service. Fortunately, the vaults are encrypted with a master password, which should prevent the attacker from being able to read them.

The statement from LastPass emphasizes that the service uses state-of-the-art encryption to make it very difficult for an attacker to read vault files without knowing the master password, saying:

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”

Still, LastPass admits that if a customer has used a weak master password, an attacker may be able to brute force guess that password, allowing them to decrypt the vault and obtain all of the customers’ website passwords, as LastPass explains:

“It is important to note that if your master password does not make use of [best practices the company recommends], then it will reduce the number of trials needed to guess correctly. In this case, as an additional security measure, you should consider minimizing the risk by changing the passwords of websites you have saved.”

Can password manager hacks be eliminated with Web3?

The LastPass exploit illustrates a claim that Web3 developers have been making for years: that the traditional username and password login system needs to be scrapped in favor of blockchain wallet logins.

According to crypto wallet login advocates, traditional password logins are fundamentally insecure because they require password hashes to be held on cloud servers. If these hashes are stolen, they can be cracked. Additionally, if a user relies on the same password for multiple sites, one stolen password can lead to the breach of all others. On the other hand, most users cannot remember multiple passwords for different websites.

To solve this problem, password management services like LastPass have been invented. But these also rely on cloud services to store encrypted password vaults. If an attacker manages to obtain the password vault from the password management service, they may be able to crack the vault and obtain all of the user’s passwords.

Web3 applications solve the problem in a different way. They use browser extension wallets like Metamask or Trustwallet to log in with a cryptographic signature, eliminating the need for a password to be stored in the cloud.

*An example of a crypto wallet login page. Source: Blockscan Chat*

But so far this method has only been standardized for decentralized applications. Traditional apps that require a central server do not currently have an agreed upon standard for how to use crypto wallets for login.

Related: Facebook receives a fine of 265 million euros for leaking customer data

However, a recent Ethereum Improvement Proposal (EIP) aims to remedy this situation. Called “EIP-4361,” the proposal attempts to provide a universal standard for web logins that works for both centralized and decentralized applications.

If this standard is agreed upon and implemented by the Web3 industry, its proponents hope that the entire World Wide Web will eventually rid itself of password logins altogether, eliminating the risk of password management breaches like the one that occurred at LastPass.