Karim Toubba didn’t have much of a honeymoon at LastPass. Less than four months after he joined the company as CEO, a cyberattack that would evolve into one of the most high-profile security blunders of 2022 was underway.
While LastPass first notified customers of a compromise in August, it wasn't until days before last year came to a close that LastPass revealed a cloud-based backup of all customer vault data, including encrypted passwords, usernames and form-filled data was stolen by a still-unidentified threat actor.
Master passwords, which are not stored or maintained by LastPass, were not compromised — a key detail that likely prevented a catastrophe.
The lessons for Toubba lie largely in the company’s response, where critical information was trickled out over a 7-month period.
“Ultimately, I think we got the transparency piece right. It took us a while and I think therein lies the two issues and the areas of improvement and the lessons learned,” Toubba told Cybersecurity Dive in a phone interview.
LastPass should have shared information more quickly, he said, and not waited for complete disclosure until it had all the information stitched together as it did in March when Toubba issued his fifth and most detailed blog post related to the cyberattack to date.
But the worst of the fallout is in the past, it seems. LastPass hasn’t observed or been notified of any threat actor activity since late October 2022, Toubba said. Moreover, the password manager is not aware of any customers that experienced a follow-on compromise as a result of the data stolen from LastPass.
The monthslong cyberattack did have an impact on LastPass’ business and this year, Toubba has been on a listening tour in a bid to earn back customer trust.
Toubba previously took full responsibility for the communication rollercoaster that followed the password manager’s comprehensive breach and pledged to be more transparent going forward.
“That sort of steady drumbeat of information out to the market would show the progress as opposed to going dark for a period of time while we gathered all the information and then publishing it all at the end,” Toubba said in the Friday interview.
That decision to hold the information was vigorously debated during the incident response and communication process, but “in retrospect, I think we could have done better,” Toubba said.
LastPass is still contending with the crisis of confidence that engulfed the password manager after it shared the full extent of damage, which included the theft of DevOps secrets, configuration data, API secrets, third-party integration secrets and a backup of LastPass’ multifactor authentication database.
In the first quarter of 2023, LastPass’ customer renewal rate took a hit of about 8%, Toubba said. Toubba declined to disclose the customer renewal rate, but he said renewal rates are expected to return to the previous average by the end of this year.
LastPass currently has about 115,000 business customers, Toubba said.
Some customers fled earlier this year, including Netenrich CISO Chris Morales who used the service personally and professionally for about 10 years.
“I actually like LastPass. They had the ultimate scenario go wrong and it just kept unreeling over the last year and I was just dumbfounded,” Morales said in a phone interview in March.
That astonishment came from one critical detail that LastPass shared near the end of its investigation — 1 of 4 DevOps engineers with access to the password manager’s decryption keys manually entered their master password on a malware-laced personal device at home.
“They broke all the rules,” Morales said. “It’s the key management that failed at LastPass.”
Toubba acknowledges more work needs to be done to earn back customer trust, but extensive information sharing, albeit delayed, widespread outreach to LastPass customers and technology upgrades have helped in that regard.
Toubba spent time with more than 200 customers during the last few months, he said. Business leaders are accustomed to cyberattacks and they don’t judge other companies because they’ve been attacked, but they do judge companies for how they respond and deal with the aftermath, Toubba said.
Communication was necessary, although LastPass made some mistakes on that front, “but we also felt that it was important to really take this opportunity to strengthen the team, the processes that the team implements, and then the technology stack,” Toubba said. “I think those things all collectively help sort of regain your confidence.”
Space and time could work in LastPass’ favor as well.
Outlook for password managers
Toubba knew the threats he would be responsible for defending against when he joined the company, but he dismisses the notion password managers should be discredited due to that concentrated risk.
“Our view is the value proposition, even with this incident, as high profile as it was, is still extremely valuable to the market at large, especially if you take full advantage of all the features and capabilities that a password manager gives you,” Toubba said.
“Ironically, in many ways, this incident aside, the value proposition of password management is that you don’t use the same password,” Toubba said.
“By virtue of the data we hold, we're going to have a pretty juicy target on our back [in] perpetuity,” Toubba said. “I don't think it's just a function of password management. I think it's a function of any company or organization that holds information that is aggregated that is a high-value target to attackers.”
LastPass is not alone. Many access and authentication system providers, including Okta, Twilio, KeePass and others have been targeted during the past year. Threat actors have recently focused on file-transfer services, another concentrated attack vector that could lead to many downstream attacks.
Despite the cyberattack that went from bad to worse with every subsequent update from LastPass between August 2022 and March 2023, Toubba asserts the password manager will become a much stronger and more secure platform.
“Having a front-row seat to how an organization behaved during a crisis is something that you rarely get to observe, especially so early in your tenure as CEO,” Toubba said.
“In some ways, as difficult as this situation was, there were quite a few things that we got out of it that made us a much stronger organization,” Toubba said.
“One thing I've learned in the last couple of decades is security is an evolution, it never ends and that's because your adversaries are equally evolving,” Toubba said. “It's something that you'll see us continue to be involved in and talk about openly and pretty publicly.”