Will another cloud-based password management service with >1 million users be hacked and have user password vaults stolen in 2023?
Basic
101
19k
resolved May 6
Resolved
NO

Based off of the LastPass breach and the theft of encrypted user password vaults, what is the likelyhood that another (edit 2023-01-17: non-LastPass) major password management service will be similarly breached in 2023?

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Criteria:

  1. Service must be a cloud-based password management service with >1 million unique users (active or not) at the time of the attack. If it seems at all close on that user threshold, assume "yes".

  2. Attack must occur within calendar 2023, UTC. Detection/disclosure of attack need not be.

  3. The architecture of the service must primarily or exclusively be around storage of encrypted user password vaults. A generic cloud-storage / file management service (Dropbox, Google Drive, OneDrive) does not count. Password security/strength checkers that incidentally use and store metadata/previous breaches to evaluate secure passwords also don't count. (ok I probably could have just said YouHaveBeenPwned/Pwned Passwords, here).

  4. At least one user password being displayed to the attacker and/or exfiltrated as a data download (even if an encrypted version of that password) qualifies as a breach, provided it was by an external and unauthorized party. (An employee absconding with a jilted lover's password file does not count). * see caveat in criterion #7.

  5. The breach must be disclosed in a major media outlet, if not by the company directly. If a publication is remotely questionable on this criteria, assume "no".

  6. (Added 2023-01-17) A second (through nth...) breach of LastPass does not count for this market. It must be a non-LastPass service. (That said, if some really wild edge case happens, like LastPass acquires a qualifying service and the breach is or seems to be entirely isolated to / affecting that service and its users, I reserve the right to go with YES after all.)

  7. (Added 2023-01-25) A bulk attack on the service, using credential stuffing or other techniques that don't exploit a bug or vulnerability, and that results in a widespread compromise of user accounts will count, if there are clear preventive measures that a password security service could have taken to prevent them. For instance:

  • lacking two-factor authentication

  • not checking or having weak requirements for password strength for vaults' master passwords

  • not having a means to stop or throttle bulk malicious traffic

These all feel like negligence on the part of the password security service.

Caveat: isolated reports of a single user's or targeted set of users' passwords being obtained through credential stuffing, phishing, social engineering, etc. (even someone high-profile like a government leader or celebrity technology leader) will not count, even if such an episode would otherwise pass criterion #4. The rubric here will be "does it seem like they were going for specific individuals or just every user account they could find?"

  1. If an attack is discovered that started prior to 2023, but spans/spanned into 2023, the attack will not count unless it is evident that the company knew about the initial attack, did no mitigation, and left themselves open to a second, distinct copycat event that did occur in 2023.


Added 2023-01-25) This market will resolve YES earlier than the close date when a) there is a public report of a potentially qualifying breach and b) the company has either admitted or confirmed a sufficient number of details to pass all the criteria. A news report purporting all sufficient details itself isn't enough, and I will allow the time needed for the impacted service to conduct their investigation to confirm.

Otherwise, this market will close at midnight 2024 UTC. The resolution will be four months later on May Day (lol) 2024 UTC. (Based on four months between the attack and disclosure for LastPass). If a suspected but unconfirmed breach is being reported by a service as of May Day, the market resolution will remain pending until that investigation concludes (or "all conclude" if there are, heaven forbid, multiple ongoing).


(Added 2023-01-26) List of services that are being or had been considered as resolution candidates:

  • Norton Lifelock / Norton Password Manager - NO

Get Ṁ600 play money

🏅 Top traders

#NameTotal profit
1Ṁ795
2Ṁ183
3Ṁ156
4Ṁ85
5Ṁ85
Sort by:

@traders - thank you to all who participated and waited the (admittedly) ridiculously long post-close resolution time.

I spent the evening looking for any evidence I could of any sizeable breaches, and found none. Therefore, this market has resolved NO.

📢Pending Resolution.

predicted NO

@SirCryptomind Rules state that this will not be resolved until May 1.

predicted YES

@traders - tl;dr when I created this market I didn’t understand that a short gap between close date and resolution was preferred or expected.

I am getting pinged weekly-ish to resolve this market.

I would love your feedback on what to do about this?

@MattCWilson

  • You could extend the close date.

  • You could resolve based off of known facts now, and revisit if something happens between now and May 1st per your criteria.

The first option probably makes the most sense and current predictors can move out or add to their position or new predictors could come along in the mean time.

predicted NO

You can leave the market open until resolution - there's no real reason to have closed it. The market does say it closes, but there's no real reason anyone should object to leaving it open.

Or you can just ignore the pings. Manifold pings to remind people, but sometimes the market is intentionally closed, and they ought to build a way to say "yes, remind me on May 1, not now"

You should definitely stick with the resolution rule (May 1), unless there's a good reason not to. But changes to the close date are generally unimportant

predicted NO

Anyone find a big leak?

predicted YES

Just a random Twitter, cannot verify:

This @Okta data breach keeps getting worse. Now @1Password has been named as the vector attackers used to hack into Okta which means they are also compromised ...

predicted YES

@uair01 Also:

Network and security giant Cloudflare and password manager maker 1Password said hackers briefly targeted their systems following a recent breach of Okta’s support unit.

Both Cloudflare and 1Password said their recent intrusions were linked to the Okta breach, but that the incidents did not affect their customer systems or user data.

predicted NO
predicted YES

@xyz Ooof. This sucks. That said, I would classify Okta as a single-sign-on (SSO) provider and not a password manager. Unless they have a product / do business around storing password vaults that I am unaware of, this hack will not qualify under criterion #3.

predicted YES

@Radicalia Very cool! Thank you!

predicted YES

@anne Bought yes, but I'm not sure if a credential stuffing/password reuse attack would count for resolution criteria

In a notice to customers, Gen Digital, the parent company of Norton LifeLock, said that the likely culprit was a credential stuffing attack — where previously exposed or breached credentials are used to break into accounts on different sites and services that share the same passwords — rather than a compromise of its systems.

predicted YES

Rip

@anne I don't think this is a YES. That article says nothing about a breach (just credential reuse attack).

@jack Also going by the article, the attack seems to have occurred in 2022

predicted NO

@Austin Good point.

Re whether credential stuffing attacks count, I guess it's potentially quite concerning if their systems allowed a large volume of automated password guessing attempts. But this article https://www.pcmag.com/news/hackers-target-norton-password-manager-access-8000-user-accounts says

“We determined that, beginning around December 1, 2022, an unauthorized third party had used a list of usernames and passwords obtained from another source, such as the dark web, to attempt to log into Norton customer accounts. Our own systems were not compromised,” the company wrote in the data breach notice. 

So it sounds like password reuse was the main thing here and there's only so much you can do to defend against that.

predicted YES

@anne Woo hoo, spicy! Thank you for the articles 😄

That said, this one is not resolving YES yet. Lemme speak to the criteria as written and then also speak to the question in the thread about credential stuffing attacks.

  1. YES. 925,000 users quoted in the 2nd article is pretty dang close to 1M, enough so that I doubt anyone would quibble hard on just this point.

  2. NO. Attack first occurred prior to calendar 2023. That said, I will clarify in the criteria in case we hear of “an ongoing/recurring attack” that’s hard to discern if it’s one event or multiple.

  3. YES. Cloud hosted encrypted password files, check.

  4. N/A/TBD. Relevant quote from the 1st article:

The notice was sent to customers that it believes use its password manager feature, because the company cannot rule out that the intruders also accessed customers’ saved passwords.

  1. YES. PCMag, CNet, TechCrunch are good enough for me. Would love a CNN/Guardian/NYT/WaPo here but that’d just be gravy. But also, irony alert (check the date 😂):

Make sure you have a strong master password, one that's not easily guessable. It's a good idea to use a phrase instead of one or two words, since a longer password will be tougher to crack than a shorter password. It's also advisable to include upper and lowercase letters, numbers and special characters in the phrase, while still making the master password something that's easy to remember, said Daniel Kats, senior principal researcher for Norton, a Gen Digital brand.

  1. YES. QED.

Ok - credential stuffing. I’m on the fence, honestly. The fact that several articles point to Norton not requiring 2FA, and (evidently) not using something like PwnedPasswords integration (or any password strength detection… ?), and not having any throttling or killswitch on bulk attacks means imo there is some negligence here on the part of a password security service. But like, then again… why are people using a password manager and also c/p passwords? So, what I’ll do here is add a criterion that a credential stuffing attack will count, because in my

mind the burden of responsibility is on the service provider here. But with a caveat that a single reported instance of an isolated impersonation / identity theft (say, of a famous or high profile target) won’t count.

Hope that helps. Thanks again! This is getting exciting!

predicted YES

@MattCWilson I hope no one is discouraged by this. We still have a long year ahead of us.

@Predictor What you say is true, it is a long year ahead of us, and that makes me sad also

Will you immediately resolve it YES if a password breach is confirmed or will you wait?

predicted YES

@ZZZZZZ Not sure how I missed this last week.

Yes, I will resolve earlier than May 2024 if a qualifying breech occurs. “Immediately”… based on circumstances I could imagine monitoring a breaking news story while details relevant to the resolution are still surfacing. (For instance, whether it was an employee or an external attacker.)

I’ll edit the description and criteria to clarify.

More related questions