Last Week, LastPass CEO Karim Toubba notified customers via email and on the website’s blog to announce a data breach, the company’s second breach of 2022. Calling it a “security incident,” LastPass is investigating unusual activity with a third-party cloud service both LastPass and their affiliate GoTo use, but which LastPass did not name.
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” wrote Toubba.
LastPass has hired security firm Mandiant and alerted law enforcement of the incident. They are trying to determine the scope of the data breach and identify what information was accessed. The company asserted that their products and services are fully functional, and they directed customers and other concerned parties to LastPass setup post.
“As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity,” Toubba said. “We thank you for your patience while we work through our investigation. As is our practice, we will continue to provide updates as we learn more.”
LastPass published FAQs and directed customers where to go for additional information.
Second data breach this year
In late August, LastPass was hit with a data breach in their developer environment. According to a blog post, the company said that source code and technical information was accessed during a four-day period in August. During that investigation, LastPass and Mandiant did not find evidence of any customer data or encrypted password vaults being accessed. The development and production environments are not connected physically or directly. 9to5Mac reports that the August data breach did include access to customer data.
“Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults,” said Toubba.
Following that incident, in which the company investigated source code and protection builds, LastPass also partnered with a cyber security firm to enhance their source code safety practices which include secure software development life cycle processes, threat modeling, vulnerability management and bug bounty programs.
“We have deployed enhanced security controls including additional endpoint security controls and monitoring. We have also deployed additional threat intelligence capabilities as well as enhanced detection and prevention technologies in both our Development and Production environments,” Toubba explained.
“We recognize that security incidents of any sort are unsettling but want to assure you that your personal data and passwords are safe in our care,” added Toubba.
Plans and pricing
LastPass utilizes a freemium model, offering personal and business plans. The personal plans start as $0 and include unlimited passwords, 30-day free trial of their premium plan, save and autofill passwords, one-to-one sharing, passwordless logins and password generators. Free users can only use LastPass on one device.
Premium plans allow unlimited devices, and they cost $3 a month for a single user billed annually and a family plan is $4 a month billed annually. LastPass offers two business plans: a teams plan at $4 per user per month billed annually and a business plan at $6 per user per month billed annually. Add-ons such as single sign-on and multi-factor authentication are also available to business users.
This is unfortunate, particularly for subscribers who pay for the added security of a password manager controlled by a single master password. Having two data breaches in six months’ time is concerning, and it could cause LastPass to lose subscribers (including me). This could be costly. For example, if 100 premium subscribers leave LastPass at $36 per year, that’s a loss of $3,600 in revenue. If 1,000 premium subscribers, that is a $36,000 loss. While that may be minor, if businesses and teams leave LastPass, the revenue loss may be more significant.
LastPass has competitors including 1Password which offers similar pricing. After a 14-day free trial, 1Password’s personal plan is $2.99 a month, billed annually, and a family plan is $4.99 a month for up to five members, billed annually. Business plans start at $7.99 per user per month billed annually with special pricing for teams and enterprise users.
The lessons here are that LastPass has been transparent with customers, and they’ve acted timely, both which are critical to retention. A lesson for subscribers is to (a) make sure you have a backup record (ideally offline or saved to a breach-resistant external hard drive) and (b) follow good cybersecurity best practices defined by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA).