Saturday, July 20, 2024

HomeCyberSecurityLastPass CEO reflects on lessons learned, regrets and moving forward from a...

LastPass CEO reflects on lessons learned, regrets and moving forward from a cyberattack

Karim Toubba didn’t have much of a honeymoon at LastPass. Less than four months after he joined the company as CEO, a cyberattack that would evolve into one of the most high-profile security blunders of 2022 was underway.

While LastPass first notified customers of a compromise in August, it wasn’t until days before last year came to a close that LastPass revealed a cloud-based backup of all customer vault data, including encrypted passwords, usernames and form-filled data was stolen by a still-unidentified threat actor.

Master passwords, which are not stored or maintained by LastPass, were not compromised — a key detail that likely prevented a catastrophe.

The lessons for Toubba lie largely in the company’s response, where critical information was trickled out over a 7-month period.

“Ultimately, I think we got the transparency piece right. It took us a while and I think therein lies the two issues and the areas of improvement and the lessons learned,” Toubba told Cybersecurity Dive in a phone interview.

LastPass should have shared information more quickly, he said, and not waited for complete disclosure until it had all the information stitched together as it did in March when Toubba issued his fifth and most detailed blog post related to the cyberattack to date.

LastPass CEO Karim Toubba

LastPass CEO Karim Toubba

Permission granted by LastPass


But the worst of the fallout is in the past, it seems. LastPass hasn’t observed or been notified of any threat actor activity since late October 2022, Toubba said. Moreover, the password manager is not aware of any customers that experienced a follow-on compromise as a result of the data stolen from LastPass.

The monthslong cyberattack did have an impact on LastPass’ business and this year, Toubba has been on a listening tour in a bid to earn back customer trust.

Toubba previously took full responsibility for the communication rollercoaster that followed the password manager’s comprehensive breach and pledged to be more transparent going forward.

“That sort of steady drumbeat of information out to the market would show the progress as opposed to going dark for a period of time while we gathered all the information and then publishing it all at the end,” Toubba said in the Friday interview.

That decision to hold the information was vigorously debated during the incident response and communication process, but “in retrospect, I think we could have done better,” Toubba said.

Business impact

LastPass is still contending with the crisis of confidence that engulfed the password manager after it shared the full extent of damage, which included the theft of DevOps secrets, configuration data, API secrets, third-party integration secrets and a backup of LastPass’ multifactor authentication database.

In the first quarter of 2023, LastPass’ customer renewal rate took a hit of about 8%, Toubba said. Toubba declined to disclose the customer renewal rate, but he said renewal rates are expected to return to the previous average by the end of this year.

LastPass currently has about 115,000 business customers, Toubba said.

Some customers fled earlier this year, including Netenrich CISO Chris Morales who used the service personally and professionally for about 10 years.

“I actually like LastPass. They had the ultimate scenario go wrong and it just kept unreeling over the last year and I was just dumbfounded,” Morales said in a phone interview in March.

That astonishment came from one critical detail that LastPass shared near the end of its investigation — 1 of 4 DevOps engineers with access to the password manager’s decryption keys manually entered their master password on a malware-laced personal device at home.

“They broke all the rules,” Morales said. “It’s the key management that failed at LastPass.”

Toubba acknowledges more work needs to be done to earn back customer trust, but extensive information sharing, albeit delayed, widespread outreach to LastPass customers and technology upgrades have helped in that regard.

Source link

Bookmark (0)
- Advertisment -spot_img

Most Popular

Sponsored Business

- Advertisment -spot_img