Will another cloud-based password management service with >1 million users be hacked and have user password vaults stolen in 2023?
101
1.8kṀ18k
resolved May 6
Resolved
NO

Based off of the LastPass breach and the theft of encrypted user password vaults, what is the likelyhood that another (edit 2023-01-17: non-LastPass) major password management service will be similarly breached in 2023?

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Criteria:

  1. Service must be a cloud-based password management service with >1 million unique users (active or not) at the time of the attack. If it seems at all close on that user threshold, assume "yes".

  2. Attack must occur within calendar 2023, UTC. Detection/disclosure of attack need not be.

  3. The architecture of the service must primarily or exclusively be around storage of encrypted user password vaults. A generic cloud-storage / file management service (Dropbox, Google Drive, OneDrive) does not count. Password security/strength checkers that incidentally use and store metadata/previous breaches to evaluate secure passwords also don't count. (ok I probably could have just said YouHaveBeenPwned/Pwned Passwords, here).

  4. At least one user password being displayed to the attacker and/or exfiltrated as a data download (even if an encrypted version of that password) qualifies as a breach, provided it was by an external and unauthorized party. (An employee absconding with a jilted lover's password file does not count). * see caveat in criterion #7.

  5. The breach must be disclosed in a major media outlet, if not by the company directly. If a publication is remotely questionable on this criteria, assume "no".

  6. (Added 2023-01-17) A second (through nth...) breach of LastPass does not count for this market. It must be a non-LastPass service. (That said, if some really wild edge case happens, like LastPass acquires a qualifying service and the breach is or seems to be entirely isolated to / affecting that service and its users, I reserve the right to go with YES after all.)

  7. (Added 2023-01-25) A bulk attack on the service, using credential stuffing or other techniques that don't exploit a bug or vulnerability, and that results in a widespread compromise of user accounts will count, if there are clear preventive measures that a password security service could have taken to prevent them. For instance:

  • lacking two-factor authentication

  • not checking or having weak requirements for password strength for vaults' master passwords

  • not having a means to stop or throttle bulk malicious traffic

These all feel like negligence on the part of the password security service.

Caveat: isolated reports of a single user's or targeted set of users' passwords being obtained through credential stuffing, phishing, social engineering, etc. (even someone high-profile like a government leader or celebrity technology leader) will not count, even if such an episode would otherwise pass criterion #4. The rubric here will be "does it seem like they were going for specific individuals or just every user account they could find?"

  1. If an attack is discovered that started prior to 2023, but spans/spanned into 2023, the attack will not count unless it is evident that the company knew about the initial attack, did no mitigation, and left themselves open to a second, distinct copycat event that did occur in 2023.

Added 2023-01-25) This market will resolve YES earlier than the close date when a) there is a public report of a potentially qualifying breach and b) the company has either admitted or confirmed a sufficient number of details to pass all the criteria. A news report purporting all sufficient details itself isn't enough, and I will allow the time needed for the impacted service to conduct their investigation to confirm.

Otherwise, this market will close at midnight 2024 UTC. The resolution will be four months later on May Day (lol) 2024 UTC. (Based on four months between the attack and disclosure for LastPass). If a suspected but unconfirmed breach is being reported by a service as of May Day, the market resolution will remain pending until that investigation concludes (or "all conclude" if there are, heaven forbid, multiple ongoing).

(Added 2023-01-26) List of services that are being or had been considered as resolution candidates:

  • Norton Lifelock / Norton Password Manager - NO

Technology
Programming
Information security
Resolution Pending
Data Breaches
Get
Ṁ1,000
to start trading!

🏅 Top traders

#NameTotal profit
1Ṁ795
2Ṁ183
3Ṁ156
4Ṁ85
5Ṁ85

People are also trading

Which of 1password or Bitwarden will have user secrets exposed in a security breach first?
Will my employer be hit with a major ransomware attack again by the end of 2025?
16% chance
Will "Store Now Decrypt Later" attacks be responsible for the theft of >$1B of funds by 2030?
19% chance
Will DOGE cause a data breach during 2025?
34% chance
Will Protonmail have any serious problems before 2035?
53% chance
Will CLEAR's biometric customer data be leaked by 2027?
69% chance
What is the next password manager the Wirecutter will start recommending?
Will Manifold leak KYC information by the end of 2026?
20% chance
What method of storing my passwords should I use?
Will advanced AI systems be found to have made money illegally via finding security exploits and/or getting unauthorized access to others' bank accounts by end of 2035?
78% chance
© Manifold Markets, Inc.TermsPrivacy