While we were away - two news stories made the headlines. One was the conclusion of the LastPass data breach. The other - was Zurich CEO suggesting cyber will become "uninsurable".
As is tradition - both stories were quickly spun into doomsday, end of the world is nigh, scaremongering. Unfortunately, all nuance was stripped in the pursuit of views, clicks and a slow news cycle.
So I want to take the first two newsletters of 2023 to summarise what was actually reported... Rather than what made the headlines.
This week I'll cover the LastPass data breach.
LastPass Data Breach - What Was Reported
This story has been rumbling since August 2022. For those who don't use it - LastPass is a password manager used to store passwords. It's the one I use, so I've been paying close attention.
In August, a hacker broke into the LastPass development account and "took portions of source code and some proprietary LastPass technical information."
The news from 30 November is "technical information" turned out to be a euphemism for a critical access key - i.e. the equivalent of the username and password - used to access the backups of all customer data. And the hackers came back to steal a copy of the backup files and decryption keys.
In summary, the backups contained customer data - like billing, email, and IP addresses... and a copy of customer data secured with LastPass "zero knowledge encryption".
What Does This Mean?
Have I lost my passwords? Maybe.
All but one line of security defence was breached. The only thing between the hackers and all your passwords is the strength of your Master Password. The one used to log in or unlock the LastPass vault.
This is the one password to rule them all... and the linchpin of the "zero knowledge encryption" used by LastPass.
Suppose your Master Password was 123456 or any of the most common passwords. In that case, you must assume the hacker has access to all your passwords and sensitive information. 😬
If you're about to ask, "Does that mean you need to change all your passwords?" I think you already know the answer to that.
If your Master Password was a complex, one-time password or passphrase, you're in better luck and have more time. It comes down to two details:
- How difficult is it to break the password?
- How distracted are the hackers exploiting other people's more easily accessed passwords?
As a LastPass Customer - What Am I Doing?
Luckily I fall into the latter category - so I have time. However, I will be moving to a new password manager.
Why? Because I expect LastPass to effectively go out of business in the next 5 years.
When I first started using LastPass - it was an independent startup. Since then it was bought by LogMeIn in 2015 and most recently spun out as an independent company again in December 2021 by their private equity owners.
I haven't seen much innovation in the LastPass product in the last seven years. That wasn't a big problem - the service did what it did, was reliable and just worked.
However, the recent pricing games - removing the free version - suggests the LastPass owners are more interested in revenue and "sweating the asset". To achieve this goal, the business needs to be uneventful, and a mundane business environment needs to be maintained.
That's not the case for LastPass. Life at LastPass is eventful at the moment.
A sceptical analysis of the situation would point out that the CEO's continued focus on "zero-knowledge architecture" rests on a dubious foundation...
An unflattering (but correct) description would be:
"LastPass never provided or stored the encryption key. Our customers should have done a better job. We (LastPass) aren't to blame for any password losses. If only you had followed our *latest* default settings and recommendations."
Note: I emphasise the *latest* settings because the default settings have changed over time.
This sounds like security smoke and mirrors. Revenue without liability. LastPass took customers' money while placing the security burden back on the customer.
As 75% of revenue for LastPass now comes from corporate customers, the parallels to the RSA data breach stand out.
When RSA had a similar data breach in 2011, their market share for the SecureID product was over 50%. A decade later, it was down to 0.04%.
As one Fresh Security customer told me before Christmas - "I'm most worried about the hassle and productivity lost from dealing with LastPass issues. I'll take the one-time hit and move elsewhere."
As ever - the practicalities of trust & revenue generation will likely be more influential in the long-term use of LastPass than the actual security of their operation.