LastPass Customers Dropping Despite Systemic Security Overhaul

The password manager application, LastPass, committed the ultimate cardinal sin, suffering a major data breach last year.

The cyber security company, LastPass reported a massive breach in August 2022, which resulted in the theft of the cloud-based backup of all customer vault data, including encrypted passwords, usernames, and form-filled data.

The high-profile hack was followed by months of internal investigation by the tech company, where more details came to light, and subsequent investment and reinforced infrastructure has taken place.

The company has admitted to “increased in customer churn” since the incident but has a positive outlook that it will regain customer trust and return to the same customer levels as before the intrusion.

“We invested across platforms, infrastructure and systems — we believe all of which will mean a more modern and secure customer. This has been a multiyear and multimillion-dollar investment. We’re still looking for ways to continue to invest and we’re not done.” – Karim Toubba, CEO of LastPass

What Did the LastPass Breach Entail?

The threat actor evaded detection for months by blending in with legitimate activity after targeting one of four engineers with access decryption keys who manually entered their master password on a malware-laced personal device at home.

The unauthorized party was able to gain access to unencrypted customer account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses.

Surfshark logo🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this special tech.co offer.See deal button

That same hacker was also able to steal customer vault data, which includes unencrypted data like website URLs, as well as encrypted data like the usernames and passwords for all the sites that LastPass users have stored in their vaults.

The intrusion stopped short of gaining access to master passwords, narrowly avoiding a catastrophe.

Can Customers Trust LastPass Again?

In their latest statement published last week, LastPass gave an update listing the technical improvements to its cybersecurity, which have already been completed or are underway.

The makeover, consisted of the following main action points:

  • A cloud security posture management (CSPM) layer that was added to all cloud infrastructure.
  • A new endpoint detection and response (EDR) system it deemed more effective.
  • A secure access service edge (SASE) deployment and improved logs and alerts in its security orchestration, automation and response (SOAR) platform.
  • A move to a new source code management system.
  • A new policy, still rolling out, that will eventually require all customers to use longer and more complicated master passwords.
  • A hardening of key component rotations for Okta and Microsoft Azure AD.
  • Improved recovery options for one-time passwords.
  • An initial deployment of FIDO2 hardware security keys.
  • A reset of security information and event management (SIEM) Splunk tokens and a new SIEM integration deployed in mid September that stores access tokens in encrypted form.
  • Code-safety initiatives for SBOM and elevated compliance with supply chain levels for software artifacts.

While many LastPass customers may have already fled to other password managers, some might say that in light of these technical improvements, and by the laws of probability, LastPass has never been safer than right now.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Abby Ward is a contributor at Tech.co and freelance search engine marketing (SEM) specialist. Since graduating from Kingston University London in 2015 with Bachelor's degree in Journalism with French, she has worked in many areas of digital marketing including website management, SEO, and paid media. Her specialist topics span her professional and personal interests in search social media, ad-tech, education, food & beverage, hospitality, and business.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals