Earlier this month, Karim Toubba, CEO of LastPass, released the results of their investigation into two security incidents that occurred last fall. Toubba provided a detailed update on what happened, how it impacted LastPass users, and the actions the company has taken to prevent cybersecurity breaches in the future. The CEO said they have not seen any threat-actor activity to the password vault platform since October 26. In the update, the CEO noted the company serves millions of customers and more than 100,000 businesses.
“We have heard and taken seriously the feedback that we should have communicated more frequently and comprehensively throughout this process. The length of the investigation left us with difficult trade-offs to make in that regard, but we understand and regret the frustration that our initial communications caused for both the businesses and consumers who rely on our products,” Toubba said in a March 1, 2023 blog post.
“In sharing these additional details today, and in our approach going forward, we are determined to do right by our customers and communicate more effectively,” added the CEO.
Last fall there were two cybersecurity incidents impacting customers. Toubba said that neither occurrence was the result of a product defect or unauthorized access to or abuse of their production systems. Instead, it was a threat actor who exploited a vulnerability in third-party software which allowed them to bypass protections to access non-production development and backup storage.
In the first incident, the laptop of a software engineer was compromised, giving a threat actor access to LastPass’s cloud-based development environment. This allowed the hacker to steal source code, technical information, and “certain LastPass internal system secrets.” During that incident, no customer data or password vault data was stolen, and the company employed several safeguards to address the system’s vulnerabilities.
In the second occurrence, a threat actor targeted a senior DevOps engineer via third-party software. The hacker was able to use that vulnerability to install malware, bypass existing controls, and get access to cloud backups which held customer data. Through this process, the threat actor was able to gain access to data from LastPass systems, including:
- System configuration data
- API secrets
- Third-party integration secrets
- Encrypted and unencrypted customer data
In addition to a thorough investigation, LastPass’s incident response team has combed through the data to identify and correct any vulnerabilities to the password vault platform. Since August, the company has made the following changes:
- Deployed new security technology across their infrastructure, data centers and cloud environments
- Prioritized and initiated significant investments in security, privacy and best practices for operations
- Reviewed security policies and implemented changes that restrict access and privilege
A complete list of LastPass’s actions to secure their password vault is available at LastPass.com.
Copyright © 2023 Authority Media Network, LLC. All rights reserved. Reproduction without permission is prohibited.
What consumers and businesses need to know
LastPass prepared a security bulletin specifically for free, premium and family users to help them review their LastPass settings to secure their accounts. The company also prepared a security bulletin for businesses to help them with a risk assessment of their account configurations and third-party integrations.
LastPass freemium model
LastPass utilizes a freemium model. LastPass single users and families can use the password for free on one device. This includes a 30-day premium trial, but users are not obligated to subscribe to continue to use the service. Single users can subscribe to the premium plan for $3 a month, billed annually. This plan has additional features including encrypted file storage, a security dashboard, and dark web monitoring.
Families can also subscribe to premium features for $4 a month, billed annually. It includes the same features as the premium subscription plan, but it also offers six individual, encrypted password vaults. Businesses can subscribe to LastPass Teams for $4 per user per month. LastPass Teams is available for 50 users or less. LastPass also offers a Business plan for $6 per user per month, billed annually.
In a March 1 email to current and past LastPass users, the LastPass team encouraged LastPass users to read the security bulletins and go through the recommended steps to ensure their passwords and other data are protected.
Sadly, cybersecurity breaches are becoming more common. Schools, businesses and municipalities are getting hit with ransomware attacks on the regular. While LastPass may not have communicated as promptly or effectively as users would have liked, they had their hands full trying to save their ship from sinking and protecting as much data as they could. Unfortunately, they also lost some customers due to the data breaches – including me. I don’t hold a grudge against LastPass, but if a password vault is vulnerable, are any of our passwords safe?
Takeaways for subscription companies: No subscription company wants to admit their systems are vulnerable to attack whether inside or outside the company. However, in addition to immediately deploying an incident response team, companies need to come clean with their customers. Customers, especially those who are subscribing to a product or service, have a right to know if their data has been hacked or could be potentially vulnerable. New security protocols, of course, are expected. Communication should be near the top of the checklist.