DEA demanded a user's login details from LastPass
But it never got themBy Rob Thubron 23 comments
In brief: Password managers are becoming an increasingly important tool in the fight against hackers, helping reduce incidents where the same credentials are re-used across multiple websites. Their popularity has led to government officials demanding the login details of suspected criminals, but companies such as LastPass won't, and usually can't, hand them over.
A recent report by Forbes highlights a case in which the Drug Enforcement Administration (DEA) demanded that LogMeIn, owner of LastPass, hand over logins, physical IP addresses, and communications of customer Stephan Caamano, who is charged with trafficking a counterfeit drug and money laundering.
LastPass never gave up his login details, but it did give the DEA the IP addresses Caamano used, while also revealing the date his account was created and when it was last used. "Such information allows investigators to understand the geographic and chronological context of LastPass access, use, and events relating to the crime under investigation," explained the application for the search warrant.
The Champaign, Illinois, resident allegedly trafficked large quantities of pills containing alprazolam, which is sold under the trade name Xanax, according to the indictment. One of his customers said they ordered the drug from a Reddit user called "Googleplex," who was also active on Dream Market, the dark web marketplace where everything from heroin to stolen financial data can be purchased.
When arrested on May 29, officials discovered the LastPass extension on Caamano's PC, leading to the demand for his login details from LogMeIn. A spokesperson for the company explained why the request could not be fulfilled: "User passwords stored on LogMeIn's servers are only done so in an encrypted format. The only way they get decrypted is on the user's side, and the way that happens---the decryption key---is the user's master password (used to log into LastPass), which is never received by or available to LogMeIn/LastPass. In other words, we have no means of decrypting user password information on our side, and thus, we are unable to provide these passwords."
Other password managers also make it difficult, if not impossible, for government agencies to access user information, though we don't know if this is true of every service. Make sure to read the full Forbes article here.