On December 22, 2022, LastPass announced that a data breach first disclosed in August 2022 was far more extensive than initially thought. The news sent shockwaves through the industry, leaving many password manager users — especially LastPass users — concerned about the security of their sensitive information.
The breach serves as a stark reminder that no online service provider may be completely bulletproof breach-wise. So today, let’s get into the LastPass data breach and what it means for NordPass users.
The LastPass data breach breakdown
Cybercriminal activity has been on a steady rise for the last decade, and it looks that the trend is not about to change. In fact, today, cybercrime is the most lucrative criminal activity and is estimated to cost the world $10.5 trillion annually by 2025.
So as our personal and financial information is increasingly getting stored online, it is critical that companies take all necessary steps to protect their customers' data. Unfortunately, the recent LastPass data breach shows that even well-known companies can fall short security-wise.
The company's latest statement explains that an unauthorized party was able to access LastPass' cloud-based storage environment and copy customer vault data along with information from a backup of customer account information.
The extent of the breach is not yet clear, but it is likely that it included some personally identifiable data such as email addresses, phone numbers, and billing information for some users.
The response from LastPass to the breach has been met with criticism from both industry experts and customers. In fact, it has already led to a class-action lawsuit, with one plaintiff alleging that the data breach resulted in the theft of around $53,000 worth of Bitcoin.
Did the LastPass data breach affect all password manager users?
Let’s be clear — the LastPass data breach does not have any direct effect on NordPass, its users, or users data.
After all, we’re two different companies and products with completely different security approaches and mindsets. However, we admit that seeing a competitor affected by a breach of this magnitude is an acute reminder to stay vigilant and prepared at all times.
Is NordPass a secure place for your digital valuables?
Given the severity of the LastPass data breach, it’s only natural that people are questioning the security of their password manager, including NordPass.
First, one of the key elements of NordPass is that it is a zero-knowledge password manager equipped with an advanced encryption algorithm known as XChaCha20 to ensure protection of everything you store in NordPass.
This means that all data stored in the NordPass vault is first encrypted on your device and only then sent to the cloud-based server. Because of the way NordPass is set up, it is only you — the user — who holds the decryption key and has access to everything stored in their vault.
The NordPass team can’t see or access anything. The same principle applies in situations of breaches. Even if a bad actor were able to get their hands on your vault data, they would still need your device, which holds the decryption key, to access the actual contents of the vault data.
NordPass CTO Tomas Smalakys offers a more detailed explanation:
Each NordPass user has a unique public-key cryptography key pair. The Public Key is always stored in plaintext form. The Private Key, on the other hand, exists in plaintext form only on the user’s end device for a limited period of time and never leaves it.When we need to store a user’s Private Key, it’s encrypted with secret-key cryptography (XChaCha20-Poly1305-IETF) on the user’s device and only then passed to us. While the app is unlocked, the unencrypted Private Key is stored in the secure memory accessible only to the NordPass application. When the application is locked, either by the user or automatically after a set period of inactivity, the Private Key is deleted from the secure memory.For the user’s Private Key encryption, the Master Key is used. The Master Key is derived from the Master Password and a 16-byte unique-per-user cryptographic salt using the key derivation function (Argon2id). We ask the user for the Master Password every time we need to decrypt the user’s Private Key.
- Tomas Smalakys
Tomas further explains that in addition to the encryption principles above, every item (folder, password, credit card, etc.) has two types of data:
Metadata (title, website address, cardholder name, etc.)
For secret-key (symmetric) cryptography, we use an authenticated encryption algorithm:
XChaCha20 stream cipher encryption.
Poly1305 MAC authentication.
For public-key (asymmetric) cryptography, we use an authenticated encryption algorithm:
X25519 key exchange.
XSalsa20 stream cipher encryption.
Poly1305 MAC authentication.
User data is encrypted on their devices and never leaves the device in plain text. This means that when the data is in transit or at rest, it is fully encrypted. In the database, both metadata and secret data is encrypted. This means that if bad actors are able to get access to the database or any of its backups, no user data can be accessed.
Furthermore, at NordPass, we feel that due to the nature of our product, our security practices should be transparent. Both NordPass and NordPass Business have had their security posture thoroughly audited by Cure53, a renowned German auditing firm.
NordPass Business has also successfully passed the SOC 2 Type 2 Audit, which ensures that NordPass Business provides proper security controls to manage customer data and protect their interests with regard to privacy.
All these measures help to ensure that the sensitive data stored in NordPass vaults is protected at all times. However, these days bad actors are creative and no longer function as a one-person operation. So it's always important to be vigilant with your own security and use strong, unique passwords for each account as well as enable two-factor authentication whenever possible.
It remains to be seen how the LastPass breach will impact the company and the password management industry as a whole, but one thing is clear: it has shaken user trust and serves as a cautionary tale for the importance of data security.