
Based off of the LastPass breach and the theft of encrypted user password vaults, what is the likelyhood that another (edit 2023-01-17: non-LastPass) major password management service will be similarly breached in 2023?
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
Criteria:
Service must be a cloud-based password management service with >1 million unique users (active or not) at the time of the attack. If it seems at all close on that user threshold, assume "yes".
Attack must occur within calendar 2023, UTC. Detection/disclosure of attack need not be.
The architecture of the service must primarily or exclusively be around storage of encrypted user password vaults. A generic cloud-storage / file management service (Dropbox, Google Drive, OneDrive) does not count. Password security/strength checkers that incidentally use and store metadata/previous breaches to evaluate secure passwords also don't count. (ok I probably could have just said YouHaveBeenPwned/Pwned Passwords, here).
At least one user password being displayed to the attacker and/or exfiltrated as a data download (even if an encrypted version of that password) qualifies as a breach, provided it was by an external and unauthorized party. (An employee absconding with a jilted lover's password file does not count). * see caveat in criterion #7.
The breach must be disclosed in a major media outlet, if not by the company directly. If a publication is remotely questionable on this criteria, assume "no".
(Added 2023-01-17) A second (through nth...) breach of LastPass does not count for this market. It must be a non-LastPass service. (That said, if some really wild edge case happens, like LastPass acquires a qualifying service and the breach is or seems to be entirely isolated to / affecting that service and its users, I reserve the right to go with YES after all.)
(Added 2023-01-25) A bulk attack on the service, using credential stuffing or other techniques that don't exploit a bug or vulnerability, and that results in a widespread compromise of user accounts will count, if there are clear preventive measures that a password security service could have taken to prevent them. For instance:
lacking two-factor authentication
not checking or having weak requirements for password strength for vaults' master passwords
not having a means to stop or throttle bulk malicious traffic
These all feel like negligence on the part of the password security service.
Caveat: isolated reports of a single user's or targeted set of users' passwords being obtained through credential stuffing, phishing, social engineering, etc. (even someone high-profile like a government leader or celebrity technology leader) will not count, even if such an episode would otherwise pass criterion #4. The rubric here will be "does it seem like they were going for specific individuals or just every user account they could find?"
If an attack is discovered that started prior to 2023, but spans/spanned into 2023, the attack will not count unless it is evident that the company knew about the initial attack, did no mitigation, and left themselves open to a second, distinct copycat event that did occur in 2023.
Added 2023-01-25) This market will resolve YES earlier than the close date when a) there is a public report of a potentially qualifying breach and b) the company has either admitted or confirmed a sufficient number of details to pass all the criteria. A news report purporting all sufficient details itself isn't enough, and I will allow the time needed for the impacted service to conduct their investigation to confirm.
Otherwise, this market will close at midnight 2024 UTC. The resolution will be four months later on May Day (lol) 2024 UTC. (Based on four months between the attack and disclosure for LastPass). If a suspected but unconfirmed breach is being reported by a service as of May Day, the market resolution will remain pending until that investigation concludes (or "all conclude" if there are, heaven forbid, multiple ongoing).
(Added 2023-01-26) List of services that are being or had been considered as resolution candidates:
Norton Lifelock / Norton Password Manager - NO
🏅 Top traders
# | Name | Total profit |
---|---|---|
1 | Ṁ795 | |
2 | Ṁ183 | |
3 | Ṁ156 | |
4 | Ṁ85 | |
5 | Ṁ85 |