There’s a Wave of Hacks Coming, Thanks to LastPass
Today we are touching on a topic I wrote about in March, online security. There’s been some developments this week that warrant a revisit. In that newsletter, I warned folks about LastPass having shoddy corporate security practices and now those chickens are coming home to roost.
Like many of you, for a time I used what they call a “life password.” That's a single password across all of my accounts. It was easy, convenient, and I only had to memorize one password. But the flaw of this method is obvious—if someone gets access to your life password, they have access to your whole online life: your social media accounts, your banking info, your medical records, your retirement accounts—everything. So given that risk, I went away from a life password. By the way, if you just read that and said to yourself “huh, I never thought of that,” you’re welcome. Now you know better.
This week I heard an analogy about all of this that I think is instructive.
Your online security is like a wall. Picture Helm’s Deep from the Two Towers. But people who wish to steal from you and do you harm online are like orcs with ladders. You can do things to make your walls higher and stronger—use randomized passwords, not share or reuse passwords for example. But the constant parade of corporate data breaches have significantly lengthened the orcs’ ladders, yielding them acres of information on nearly all of us. I passively follow this stuff and even I was shocked to see the scope when I went to review some of the major data breaches this week. Here’s some of the hits:
After lying to the public about the scale of the problem, Yahoo admitted in 2017 that an earlier breach exposed the records from 3 billion accounts—three billion accounts
In 2019, First American Financial Corporation allowed hackers to steal 885 million users' records including banking details, social security numbers, wire transactions, and mortgage info
LinkedIn lost data on roughly 700 million users in 2021
The Equifax breach yielded info on nearly 150 million people trapped in a non-consensual relationship with the credit rating company
T-Mobile has experienced two breaches just in 2023, one impacting 37 million accounts; that’s after successful hacks of the company in 2021 (40 million records) two breaches in 2020 and breaches in both 2019 and 2018 (geeeeez)
Thanks to this corporate incompetence, which has largely gone unpunished by regulators, hackers are awash in your personal data: birthdates, mother’s maiden names, home & email addresses, prior passwords, credit histories, etc.
This week no fewer than ten people I know experienced someone trying to hack their Facebook accounts, many of them dormant for years. This included my wife. Folks reported receiving emails saying they requested password resets. Here’s how one version of the scam works:
Facebook allows users to recover their account using a feature called Trusted Contacts. Users can select some trusted contacts so that if they ever lose access to their account, these contacts will provide them with a recovery code to regain their account access. However, scammers exploit this feature to hack into accounts.
So, these cybercriminals exploit this feature and once they have the OTP, they first reset the account password, locking out the legitimate owner. They then take control of the account and start contacting the victim's Facebook friends. Following that, scammers make requests for money from contacts, using various excuses, such as medical emergencies or educational expenses.
It’s a pretty straight forward scam and much more of this is coming.
As I wrote about in March, people should use password lockers but not LastPass. LastPass is (well, was) the internet’s most widely used password locker but they’ve done a terrible job securing their users’ info. I want to requote Joseph Cox from March reporting for Vice:
A LastPass engineer was accessing critical services from their home computer and network. LastPass had difficulty distinguishing between the activity of the worker and that of the hacker. The sensitive information—in this case, customers’ password vaults that need the user’s master password to decrypt, but could theoretically be brute forced at some point—were stored less in a bank vault and more in a closet.”
Now it appears people who used LastPass to store their crypto private keys or seed phrases (seed phrases are a random set of 12 to 24 words that people use to open a crypto wallet) are having their wallets drained. If someone has someone’s keys, they have access to their crypto. According to reports about 35 million dollars in funds have been drained from wallets in recent months and the common denominator is LastPass:
Bax said the only obvious commonality between the victims who agreed to be interviewed was that they had stored the seed phrases for their cryptocurrency wallets in LastPass.
“On top of the overlapping indicators of compromise, there are more circumstantial behavioral patterns and tradecraft which are also consistent between different thefts and support the conclusion,” Bax told KrebsOnSecuirty. “I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”
LastPass declined to answer questions.
Here’s the thing. The Crypto Bros are pretty tech savvy. If the hackers have cracked the encrypted lockers that were stored on LastPass, then they likely have unencrypted access to literally millions of LastPass users passwords. We’re likely to see a massive spike in hacks of LastPass users (past & present) in the coming months. Apparently, when you delete your account, LastPass doesn’t delete your data. So even if you’ve quit the service, as I have, the hackers might have access to all of your stored passwords.
Be safe out there, friends.
Recommendations and Bits for the Week
Your boy is celebrating his 44th trip around the sun on Monday. I’m not really a gift person but here’s my birthday wishlist on LibroFM (😉). In the end, nothing says “Happy Birthday, old man” like a good book.
Speaking of books, I am currently re-reading Chomsky’s Manufacturing Consent. The tome was originally published in 1988 but is incredibly prescient about the patterns we see in media coverage of US policy and the dangers of corporate media consolidation. The names of the conglomerates he rattles off have changed over the years via mergers and acquisitions, creating fewer mega-syndicates: Disney is now = Marvel + ABC + Fox + ESPN + FX + Star Wars + 20th Century + National Geographic + Pixar + most of Hulu—but the story remains the same. In many ways, things are actually much worse than in 1988. I think the book is worth your time.
As always, if you have any thoughts or feedback about the newsletter, I welcome it, and I really appreciate it when folks share Takes & Typos with their friends.
As always, if you have any thoughts or feedback about the newsletter, I welcome it, and I really appreciate it when folks share the newsletter with their friends.