Mar 1, 2023 - Technology

LastPass CEO takes 'full responsibility' for security breach comms

Image of the LastPass logo on a phone screen

Photo: Omar Marques/SOPA Images/LightRocket via Getty Images

LastPass CEO Karim Toubba said in a blog post Wednesday he takes full responsibility for his company's communications failures about recent cybersecurity incidents.

The big picture: LastPass, a password manager with roughly 30 million users, has been called out by customers for sharing limited information about two cyber incidents that happened in August.

  • A data breach is high-stakes for any password manager considering they store a user's login information across various online accounts in one place.
  • "I acknowledge our customers’ frustration with our inability to communicate more immediately, more clearly, and more comprehensively throughout this event," Toubba wrote. "I accept the criticism and take full responsibility."

Catch up quick: In the last six months, LastPass has gone back on how serious its recent cybersecurity incidents have actually been.

  • Initially, the company told users in August that the initial data breach was limited to LastPass' development environment and didn't affect customer data.
  • A few days before Christmas, the company disclosed there was actually a second breach that piggybacked off the access hackers got from the first incident that resulted in sensitive user information being hacked.

Driving the news: This week, the company shared in a difficult-to-find security advisory that attackers initially gained access to LastPass' systems by targeting a key employee's home computer.

  • The advisory also disclosed that attackers in the second reported incident had access to LastPass' cloud storage between August and October.
  • The advisory with these new details wasn't widely shared and included an HTML code to prevent the post from appearing in search engines.

What they're saying: "The length of the investigation left us with difficult trade-offs to make in that regard," Toubba wrote in the post.

  • "We understand and regret the frustration that our initial communications caused for both the businesses and consumers who rely on our products."

Details: In Wednesday's post, Toubba said attacks accessed sensitive customer data, source code repositories, internal company secrets and cloud-based backup storage locations.

  • In the first incident, attackers compromised a software engineer's corporate laptop to steal source code, technical information and other corporate secrets. No customer data appears to have been accessed in this initial incident, Toubba wrote.
  • In the second incident, the attackers accessed all sensitive information found in customers' password vaults, as well as an encrypted backup database (and its encryption key) containing copies of LastPass Authenticator information and telephone number associated with multi-factor authentication logins.

Yes, but: Wednesday's blog post does not have the same level of details as the earlier advisories from LastPass that circulated earlier this week — although those advisories are linked in Toubba's post.

  • For instance, the latest blog post doesn't mention the attackers targeted an employee's home network.

Between the lines: Toubba said the company has been deploying "several new security technologies across our infrastructure, data centers, and our cloud environments to further bolster our security posture" in recent months.

  • LastPass has also conducted a review of which employees have access to what databases, and the company is starting to encrypt more applications and backup infrastructure.

State of play: LastPass users' "master password" — the password users need to log into their account — are the only sensitive pieces of information attackers haven't accessed, in part because LastPass doesn't store that information to begin with.

  • Without the master password, it will be impossible for hackers to access user's information.
  • However, it isn't too difficult for hackers to figure out someone's password: People tend to repeat passwords, and it's easy for malicious hackers to find someone's old passwords that were leaked from previous breaches the dark web.

Be smart: LastPass is advising users to make sure they're using a strong and unique master passwords and to evaluate the strength of the passwords stored in their other accounts.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper