Main menu


LastPass attacker stole data from password vault, showing limitations of Web2

featured image

Password management service LastPass was hacked in August 2022 and the attacker stole users’ encrypted passwords, according to a Dec. 23 statement from the company. This means that the attacker could crack some website passwords of LastPass users through brute force guessing.

LastPass first disclosed the breach in August 2022, but at that time it appeared that the attacker had only obtained source code and technical information, not customer data. However, the company investigated and found that the attacker used this technical information to attack another employee’s device, which was used to obtain keys from customer data stored on a cloud storage system.

As a result, unencrypted customer metadata was revealed to the attacker, including “company names, end user names, billing addresses, email addresses, phone numbers and IP addresses from where customers accessed the LastPass service.”

Additionally, some customers’ encrypted vaults were stolen. These vaults contain the website passwords that each user stores with the LastPass service. Fortunately, the vaults are encrypted with a Master Password, which should prevent an attacker from being able to read them.

LastPass’s statement emphasizes that the service uses state-of-the-art encryption to make it very difficult for an attacker to read the vault files without knowing the Master Password, stating:

“These encrypted fields remain protected with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”

Even so, LastPass admits that if a customer has used a weak Master Password, the attacker can brute-force guess that password, allowing them to decrypt the vault and obtain all of the customers’ website passwords, as LastPass explains:

“It is important to note that if your master password does not make use of the [best practices the company recommends], would significantly reduce the number of guesses required to guess it correctly. In that case, as an extra security measure, you should consider minimizing the risk by changing the website passwords you have stored.”

Can password manager hacks be eliminated with Web3?

The LastPass exploit illustrates a claim that Web3 developers have been making for years: that the traditional username and password login system needs to be discarded in favor of blockchain wallet logins.

According to crypto wallet login advocates, traditional password logins are fundamentally insecure because they require password hashes to be maintained on cloud servers. If these hashes are stolen, they can be cracked. Furthermore, if a user uses the same password for multiple websites, a stolen password can lead to the breach of all the others. On the other hand, most users cannot remember multiple passwords for different websites.

To solve this problem, password management services like LastPass were invented. But they also rely on cloud services to store vaults of encrypted passwords. If an attacker manages to get hold of the password manager service’s password vault, he can break into the vault and obtain all of the user’s passwords.

Web3 apps solve the problem in a different way. They use browser extension wallets like Metamask or Trustwallet to log in using a cryptographic signature, eliminating the need to store a password in the cloud.

An example of a crypto wallet login page. Source: Blockscan Chat

But until now, this method has been standardized only for decentralized applications. Traditional applications that require a central server currently do not have an agreed standard on how to use cryptographic wallets for logins.

Related: Facebook fined €265 million for leaking customer data

However, a recent Ethereum Improvement Proposal (EIP) aims to remedy this situation. Dubbed “EIP-4361,” the proposal attempts to provide a universal standard for web logins that works for both centralized and decentralized applications.

If this standard is agreed upon and implemented by the Web3 industry, its proponents hope that the entire world wide web will eventually get rid of password logins, eliminating the risk of password manager breaches like LastPass.