Based off of the LastPass breach and the theft of encrypted user password vaults, what is the likelyhood that another (edit 2023-01-17: non-LastPass) major password management service will be similarly breached in 2023?
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
Criteria:
Service must be a cloud-based password management service with >1 million unique users (active or not) at the time of the attack. If it seems at all close on that user threshold, assume "yes".
Attack must occur within calendar 2023, UTC. Detection/disclosure of attack need not be.
The architecture of the service must primarily or exclusively be around storage of encrypted user password vaults. A generic cloud-storage / file management service (Dropbox, Google Drive, OneDrive) does not count. Password security/strength checkers that incidentally use and store metadata/previous breaches to evaluate secure passwords also don't count. (ok I probably could have just said YouHaveBeenPwned/Pwned Passwords, here).
At least one user password being displayed to the attacker and/or exfiltrated as a data download (even if an encrypted version of that password) qualifies as a breach, provided it was by an external and unauthorized party. (An employee absconding with a jilted lover's password file does not count). * see caveat in criterion #7.
The breach must be disclosed in a major media outlet, if not by the company directly. If a publication is remotely questionable on this criteria, assume "no".
(Added 2023-01-17) A second (through nth...) breach of LastPass does not count for this market. It must be a non-LastPass service. (That said, if some really wild edge case happens, like LastPass acquires a qualifying service and the breach is or seems to be entirely isolated to / affecting that service and its users, I reserve the right to go with YES after all.)
(Added 2023-01-25) A bulk attack on the service, using credential stuffing or other techniques that don't exploit a bug or vulnerability, and that results in a widespread compromise of user accounts will count, if there are clear preventive measures that a password security service could have taken to prevent them. For instance:
lacking two-factor authentication
not checking or having weak requirements for password strength for vaults' master passwords
not having a means to stop or throttle bulk malicious traffic
These all feel like negligence on the part of the password security service.
Caveat: isolated reports of a single user's or targeted set of users' passwords being obtained through credential stuffing, phishing, social engineering, etc. (even someone high-profile like a government leader or celebrity technology leader) will not count, even if such an episode would otherwise pass criterion #4. The rubric here will be "does it seem like they were going for specific individuals or just every user account they could find?"
If an attack is discovered that started prior to 2023, but spans/spanned into 2023, the attack will not count unless it is evident that the company knew about the initial attack, did no mitigation, and left themselves open to a second, distinct copycat event that did occur in 2023.
Added 2023-01-25) This market will resolve YES earlier than the close date when a) there is a public report of a potentially qualifying breach and b) the company has either admitted or confirmed a sufficient number of details to pass all the criteria. A news report purporting all sufficient details itself isn't enough, and I will allow the time needed for the impacted service to conduct their investigation to confirm.
Otherwise, this market will close at midnight 2024 UTC. The resolution will be four months later on May Day (lol) 2024 UTC. (Based on four months between the attack and disclosure for LastPass). If a suspected but unconfirmed breach is being reported by a service as of May Day, the market resolution will remain pending until that investigation concludes (or "all conclude" if there are, heaven forbid, multiple ongoing).
(Added 2023-01-26) List of services that are being or had been considered as resolution candidates:
Norton Lifelock / Norton Password Manager - NO
Should resolve Yes, I think https://techcrunch.com/2023/01/15/norton-lifelock-password-manager-data/amp/
@anne Bought yes, but I'm not sure if a credential stuffing/password reuse attack would count for resolution criteria
In a notice to customers, Gen Digital, the parent company of Norton LifeLock, said that the likely culprit was a credential stuffing attack — where previously exposed or breached credentials are used to break into accounts on different sites and services that share the same passwords — rather than a compromise of its systems.
@Austin Good point.
Re whether credential stuffing attacks count, I guess it's potentially quite concerning if their systems allowed a large volume of automated password guessing attempts. But this article https://www.pcmag.com/news/hackers-target-norton-password-manager-access-8000-user-accounts says
“We determined that, beginning around December 1, 2022, an unauthorized third party had used a list of usernames and passwords obtained from another source, such as the dark web, to attempt to log into Norton customer accounts. Our own systems were not compromised,” the company wrote in the data breach notice.
So it sounds like password reuse was the main thing here and there's only so much you can do to defend against that.
@anne Woo hoo, spicy! Thank you for the articles 😄
That said, this one is not resolving YES yet. Lemme speak to the criteria as written and then also speak to the question in the thread about credential stuffing attacks.
YES. 925,000 users quoted in the 2nd article is pretty dang close to 1M, enough so that I doubt anyone would quibble hard on just this point.
NO. Attack first occurred prior to calendar 2023. That said, I will clarify in the criteria in case we hear of “an ongoing/recurring attack” that’s hard to discern if it’s one event or multiple.
YES. Cloud hosted encrypted password files, check.
N/A/TBD. Relevant quote from the 1st article:
The notice was sent to customers that it believes use its password manager feature, because the company cannot rule out that the intruders also accessed customers’ saved passwords.
YES. PCMag, CNet, TechCrunch are good enough for me. Would love a CNN/Guardian/NYT/WaPo here but that’d just be gravy. But also, irony alert (check the date 😂):
Make sure you have a strong master password, one that's not easily guessable. It's a good idea to use a phrase instead of one or two words, since a longer password will be tougher to crack than a shorter password. It's also advisable to include upper and lowercase letters, numbers and special characters in the phrase, while still making the master password something that's easy to remember, said Daniel Kats, senior principal researcher for Norton, a Gen Digital brand.
YES. QED.
Ok - credential stuffing. I’m on the fence, honestly. The fact that several articles point to Norton not requiring 2FA, and (evidently) not using something like PwnedPasswords integration (or any password strength detection… ?), and not having any throttling or killswitch on bulk attacks means imo there is some negligence here on the part of a password security service. But like, then again… why are people using a password manager and also c/p passwords? So, what I’ll do here is add a criterion that a credential stuffing attack will count, because in my
mind the burden of responsibility is on the service provider here. But with a caveat that a single reported instance of an isolated impersonation / identity theft (say, of a famous or high profile target) won’t count.
Hope that helps. Thanks again! This is getting exciting!
@ZZZZZZ Not sure how I missed this last week.
Yes, I will resolve earlier than May 2024 if a qualifying breech occurs. “Immediately”… based on circumstances I could imagine monitoring a breaking news story while details relevant to the resolution are still surfacing. (For instance, whether it was an employee or an external attacker.)
I’ll edit the description and criteria to clarify.
Would this resolve to YES if Lastpass gets hacked again? Or is anything that happens to Lastpass vaults excluded here?
@MaximilianG Hmmm, good question! I honestly hadn’t considered that as an edge case, but my initial reaction to this question is NO, LastPass part deux would not count.
I did (fortunately) use the word “another” in the title and description, so hopefully this understanding has been concordant with all the traders so far. That said, I’ll amend the description to be precise. Thanks for asking!
Fuck it I’ll go with yes. LastPass was uniquely bad but insane zero days are increasingly pulled off the shelf as conflicts are ramping up.
LastPass was uniquely bad. People have known for 5+ years they were slacking on the security front. The other major password services I don't yet have active knowledge of major problems, and it usually takes a few years for laziness to be punished...
