Are 2.5 Billion Passwords Now at Risk? Hack of Password Manager Highlights Password Security Risks

By Grace de Fries, SVP Marketing, authID.
In August, LastPass, one of the largest password managers with 25 million users, confirmed that it had been hacked. Since researchers have found that the average person has over 100 passwords, this means that potentially more than 2.5 billion passwords could be at risk with the LastPass breach.

According to the company’s CEO, “an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.” The company also indicated there was no evidence of any access to customer data or encrypted password vaults. This is not the first security breach for LastPass, nor will it likely be the last considering the rise in compromised credentials and how sophisticated cybercriminals are becoming every day.

Password managers have often been lauded as a solution to prevent data breaches due to leaked or stolen credentials.
Password managers certainly have benefits: they encourage stronger passwords, enable users to use different passwords across accounts and often have autofill functions to improve user experience. But the LastPass breach highlights the problem with these tools used to manage, store and use passwords in the cloud: password managers, too, can be compromised.

Single Password-Related Breaches

The prospect of a password manager storing billions of passwords being hacked is distressing, particularly considering some of the most notorious breaches were caused by a single compromised credential. In fact, compromised credentials are one of the top contributors to breaches. According to the 2022 Verizon data breach report, cybercriminals used stolen or hacked credentials to access nearly 50% of the organizations that were breached in 2021.

In the infamous SolarWinds breach in early 2020, hackers embedded malware into the software of American software company SolarWinds which infected thousands of companies and the U.S. Treasury Department and other federal agencies. The breach occurred because an intern unknowingly exposed the password for an internal server account, “solarwinds123”, to the public.

Earlier this year, Microsoft confirmed it had been hacked by LAPSUS$, an extortion-focused hacking group. A Microsoft spokesperson indicated that the breach was facilitated by means of a single compromised account. LAPSUS$, which first emerged in July 2021, has targeted a number of large companies. One of its tactics is “MFA Bombing,” which is used to bypass weaker legacy authentication such as one-time passwords sent by SMS or push authentication prompts sent to a mobile device, showing how easily MFA involving passwords can also be circumvented.

Bad Password Managers

Not all password managers are created equal, but even the top-rated ones have problems.

While password managers can improve many aspects of password use, these services can be accessed with a master password and are also under threat from bad actors. Once a master password is hacked, password managers can be like a house of cards, exposing all of a user’s passwords across websites and services. In addition, many people do not use paid, enterprise versions of password managers, instead relying on free, browser-based password managers that offer less security.

And, the bottom line is that password managers are still based upon a password model when better authentication solutions exist. Only by eliminating the need for passwords will we be able to eradicate the frequency of breaches, account takeovers, and other criminal activity.

A World Without Passwords

At authID, we are working toward a world where passwordless authentication fortified with facial biometric MFA, rather than passwords, is the norm. Passwords are the leading cause of security breaches and ransomware. They cost enterprises time and money, waste employee time and productivity and tie up IT resources. In addition, device–dependent authentication alone places implicit trust in the possession of the device. These solutions assume that the registered device is in the possession of the user, leaving the door open for unauthorized access.

Today, true enterprise security requires authentication that verifies the actual user, not just a device, every time. authID’s Verified™ prevents breaches with seamless, passwordless login, secured with FIDO2 device-based authentication and phishing-resistant cryptographic security. Verified biometrically verifies the true account owner using a selfie, delivering a biometric chain of trust between users, their accounts, and their devices. Verified delivers Zero Trust authentication including adaptive access capabilities, immutable transaction logs, and strong authentication to protect your environment.