LastPass has officially scuppered what little chance it had to mend strained relationships with customers in the wake of a disastrous months-long data breach.
Users of the ill-fated password manager are no strangers to data breaches, having suffered several within the space of a decade. When the company confirmed a cyber attack in August 2022, however, few would have assumed the company would be embroiled in a protracted debacle fraught with mismanaged communications and conflicting reports.
And yet here it is, six months later, still learning the true extent of the damage wrought on its service and, ultimately, customers’ digital lives.
Everything we know about the latest LastPass hack
On 27 February, LastPass provided a crucial update on the scale of the incident – or incidents, one should say. It turns out the initial August breach triggered a chain reaction which left the company wide open for several months.
This first saw a threat actor compromise a software engineer’s corporate laptop, granting them unauthorised access to a cloud-based development environment and enabling them to steal source code, technical information, and “certain LastPass internal system secrets”.
LastPass said “no customer data or vault data was taken” during that incident. But to its detriment, the company then declared this incident closed. This is before learning later that stolen information was used to wage a second attack.
Disclosed in December, the second incident saw hackers gain access to LastPass’ corporate systems after targeting and successfully compromising a senior LastPass DevOps engineer’s home PC. To make matters worse, this engineer was just one of four individuals with access to critical decryption keys. After nearly three years of remote and hybrid working, one would expect a company in the business of information security would have mitigated such remote working security risks.
The threat actor reportedly exploited vulnerabilities in a third-party media software platform, Plex, to broker access. They therein installed a keylogger tracking the engineers’ activity, gaining access to their master password and bypassing LastPass’ authentication processes. It’s from here the house of cards began to crumble.
According to LastPass, the threat actor exported native corporate vault entries and content of shared folders. These contained “encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical data backups”.
“The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data,” another blog post reads.
The most jarring aspect of this second incident is that LastPass said both alerting and logging were enabled but didn’t “immediately indicate the anomalous behaviour” because investigators couldn’t differentiate between the threat actor and legitimate activity.
The entire saga has been a complete disaster from LastPass’ perspective and, faced with an attacker with razor-sharp dedication, there was very little room for error in the first place.
Patience has worn thin
No company is truly immune to security risks – we should all know better than that by now. Incidents occur frequently and we have become all too used to the lingering threat of cyber attacks, data breaches, and the impact this could ultimately have on our digital lives. What we should expect, however, is concise and forthright communication on incidents when our safety and livelihoods could be at risk. Sadly, LastPass simply hasn’t lived up to expectations.
Investigations take time, but the manner in which LastPass has communicated with customers over the past six months has been remarkably poor. With customers waiting with bated breath, one would assume the company would be eager to assuage lingering concerns. Yet, from August until the beginning of March this year, the company drip-fed details to customers and then changed its story in December after uncovering new information.
We all know that good communication following a data breach can salvage reputations. This saga, however, constitutes a huge communication failure and served merely to exacerbate confusion.
To its (albeit minor) credit, LastPass has recognised this failure. CEO Karim Toubba said the company acknowledges “customers’ frustration with our inability to communicate more immediately, more clearly, and more comprehensively throughout this event”.
“I accept the criticism and take full responsibility,” he continued, in a recent advisory. “We have learned a great deal and are committed to communicating more effectively going forward.”
While this is a commendable admission, it’ll likely offer little solace to the 30 million users who, for some weeks now, have been scrambling to change passwords and even consider ditching the service completely.
Password managers are more than just a convenience or luxury, they’re fast becoming the most important gatekeeper to our digital lives – personally and professionally. Users entrust them with critical information, and whether it be social media, retail, professional, or online banking accounts, the prospect of having credentials exposed should fill anyone with dread. Luckily, LastPass isn’t the sole gatekeeper. Unless the company can buck up its security outlook, users may be well advised to consider alternative options, of which there are myriad, and never look back.
