Attack Against LastPass’s Password Vault Reveals The Shortcomings Of Web2

LastPass was hacked back in August 2022, after the attacker stole one of the user’s passwords, according to the company given in the statement. Then, the company believed that the attacker was only able to obtain source code and technical information.

After a thorough investigation on the matter by the company, they discovered that attack was carried out by using technical information to attack one of the employee’s devices and was then used to obtain all the keys to the customer privacy and data stored in the cloud system.

When attacker gained the access, all the data of the consumer was revealed to the attacker such as company names, transaction IDs, email addresses, billing information, and many other security details.

The Company Is Confident That No Hacker Can Access The Vaults

In addition to this, some of the customer’s encrypted vaults were looted. The company believes that no hacker can attack the vaults, as the vaults are protected using state-of-the-art encryption that makes it difficult for an attacker to read, which means that it’s secured with a 256-bit AES encryption that can only be decrypted using a unique master password key using zero-knowledge architecture.

Neither this password is known to LastPass nor stored and maintained in LastPass. However, a weaker master password can be decrypted by brutal guessing and gain all the customer’s website passwords.

So it is important for the customers to take extra security by creating complex passwords, as per the company recommendations or else it would significantly reduce the number of attempts to guess it.

In the fresh developments of Web3, there have been talks that password hacks can be eliminated. However, Web3 has been in development for many years. Reports suggest that the traditional username and password login system should be scrapped to secure the vault systems in favor of blockchain wallet logins.

It is evident that traditional forms of passwords are stored in cloud systems and they can be stolen by any means of hacking or cracking. In case it’s hacked the hacker can access many websites if the user has been using the same passwords for many websites. In response to these attacks, LastPass was founded to solve these hacking problems.

Also Read: Solana-Based Blockchain, Raydium Met With An Attack: Loses Over $2M

However, LastPass relies on cloud services to store and manage encrypted passwords. If an attacker manages to crack the passcode vault from the password manager service, then the attacker can gain access to many other user’s passwords

The developers of Web3 claims that Web3-based application can solve these by implementing browser extension wallets like MetaMask to sign in using a cryptographic signature, which eliminates the need of securing a password in cloud service.

Up to this date, this method has been used in decentralized applications, and traditional applications have no agreed-upon standard for how to use crypto wallets for logins. Currently, this form of login does not work for centralized applications 

However, a recent Ethereum development was in progress. Ethereum improvement proposals aim to resolve this password situation. It is called EIP-4361. I attempt to provide universal standard logins for both centralized and decentralized applications.

If this standard can be agreed upon and implemented by the Web3 industry, then the entire world will be adept to get rid of the passwords as soon as possible. In this way, it will eliminate possible breaches in the future.

In another event, a Web3 developer claimed he found a loose end in a Solana smart contract that could simply crack and steal $30 million of money and several project information that could affect the entire company.

Out of generosity, the developer helped to patch up the vulnerabilities. However, the official just ignored him without further sincereness. Rescuers need to be appreciated or rewarded for helping in this exploited crypto industry with hackers.