#InfosecurityEurope: LastPass CEO Acknowledges Communication Failings During 2022 Breaches

Written by

The LastPass breaches in August and November 2022 generated significant coverage, and criticism, of the password manager provider. The incident not only put customer data at risk, but also their many online credentials, the ramifications of which could be devastating.

The firm’s CEO, Karim Toubba, who had only been appointed to the role just a few months earlier in April 2022, found himself thrown into the deep end in leading LastPass’s response to the incident, and the subsequent fallout.

Speaking to Infosecurity Magazine about the incidents during Infosecurity Europe 2023, Toubba has tried to embrace a positive attitude from the situation, remarking that it enabled him to understand the workings of his new company far more quickly than he would otherwise have done.

Additionally, embracing the mantra ‘necessity is the mother of invention,’ Toubba noted that “we have used this opportunity to invest in security – the irony of this is that we’ll be a much stronger and more secure company.”

He is also determined to be transparent about what happened, and what LastPass got wrong, to help enhance security both internally and externally. “I’ve been a part of the security community for 23 years and information sharing is the lifeblood of it,” explained Toubba.

Communication Breakdown

Despite the positives, there’s no getting away from the fact that this was a damaging incident for LastPass and its customers. In particular, the company’s communications have come in for heavy scrutiny.

It started in August 2022, when the firm published a post revealing that “an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account.”

However, the company reassured customers that it had “achieved a state of containment” and that there was no evidence that customer data or encrypted password vaults were accessed in the breach. In September 2022, it declared it had found no further evidence of activity from the threat actor, and the unauthorized access was limited to its development system, which is “physically separated” from its production environment.

Things soon changed though when the firm released a notice in November 2022 stating that unauthorized party had gained access to a third-party cloud storage device as a result of the information gained in the original August incident, compromising “certain elements” of its customer data.

The incident was a full blown crisis by December 2022, when LastPass informed users that attackers had accessed both encrypted customer data – usernames, passwords and notes – and unencrypted data, such as the website URLs of customers online accounts. This has put LastPass customers’ credentials at substantial risk, protected only by their master password, which is not stored by the firm.

“In retrospect the biggest lesson learned was that we should have created a predictable, continuous cadence of communication."

A big source of frustration for the company’s users was that it took so long to inform them that their personal details were at risk. Toubba emphasized that the company did not forsee that the initial compromise of the developer’s device, would have led to the other breach that put customers’ data at risk.

“At that time we put out all the information we knew, and we knew at that time the customers’ data was not compromised,” he commented.

Lessons Learned 

However, Toubba acknowledged that updates to customers should have been far more frequent and consistent overall, particularly when the company realized personal data was at risk. He said a decision was taken early on to complete the investigation before putting out all the extensive details.

“In retrospect the biggest lesson learned was that we should have created a predictable, continuous cadence of communication – perhaps every two weeks – just to keep in touch with our customers in the market before we completed the investigation,” he said.

After completing a second investigation, LastPass published a blog detailing all its findings in March 2023, declaring it “not seen any threat-actor activity since October 26, 2022.” This blog includes numerous sub links, setting out recommended actions for users and business administrators.

This post also highlights steps taken by LastPass to reduce the risk of a similar incident occurring again. This encompasses areas such as detecting malicious activity to protect developers better and ensuring customers’ data is harder to access in the event of a compromise.

Following his experience, Toubba has two important learnings that he would like to impart on cyber leaders who are faced with a major incident. The first revolves around developing frameworks for more consistent communication – this is often harder than it seems because sometimes the full details aren’t available until further down the line, which can open up further questions that cannot be adequately addressed.

“Trying to find that balance is one of the hardest things and this is one of the things we did not get right during this incident,” he outlined.

Another learning was the extent to which the wider business must be involved in the response to incidents, far beyond just IT and legal. These range from briefing sales teams on how to respond to questions about the breach from clients, and deciding whether to suspend marketing campaigns, said Toubba.

As a result, organizations should “think about the impact of an incident, especially based on its severity and size, to your hole organization, so you can coordinate it holistically.”

Finally, acknowledging that many users would now be concerned about using LastPass going forward, Toubba expressed his determination to win them over by the security improvements being made.

He also urged users to recognize "that the value proposition for password managers today is still extremely strong” and essential to improving authentication generally, including enabling the shift towards passwordless technologies.

Image credit: II.studio / Shutterstock.com

What’s hot on Infosecurity Magazine?