2 hours ago
4
Follow ZDNET: Add america arsenic a preferred source on Google.
ZDNET's cardinal takeaways
- LastPass's CEO says the 2022 information breach has driven the institution to greater information heights.
- The firm's information standards are present "beyond what would usually beryllium expected of a modular information program."
- LastPass besides says "security is astatine the precise bosom of what we bash for the consumer."
In an interrogation with ZDNET, Karim Toubba, the Chief Executive Officer of LastPass, said that the important information incidental that has dogged the firm's footsteps since 2022 became "a forcing relation to thrust a batch of changes."
What is LastPass?
Based successful Boston, Massachusetts, LastPass is simply a information and individuality absorption solutions supplier known for its password absorption vault. Founded successful 2008, the enactment was acquired by GoTo (formerly LogMeIn) successful 2015, past spun disconnected arsenic an autarkic outfit in 2024.
2022 information incidents
If you are a institution that provides privateness and information solutions to the wide nationalist and businesses, the past happening you privation is to beryllium embroiled successful a information breach. Unfortunately for LastPass, this is what happened in 2022.
In August of that year, an "unauthorized party" gained entree to portions of the LastPass improvement situation via a compromised developer relationship and stole immoderate of LastPass's root codification and method data.
Also: How to fastener down your iPhone to the utmost - truthful adjacent the FBI can't get in
It didn't extremity there. Information stolen during this attack led to further compromise, including the theft of basal lawsuit relationship accusation and related metadata -- specified arsenic names, billing addresses, email addresses, telephone numbers, and IP addresses. Furthermore, a backup transcript of lawsuit vault information was accessed. Although encrypted, it was inactive accessed by an intruder who managed to bargain a maestro password from a elder engineer's location computer.
The information incidental occurred successful 2022, and truthful you mightiness deliberation that 4 years later, memories would person faded. However, the fallout from the information breach was the latest successful a drawstring of security concerns. When you subordinate a password manager with risk, it's a agelong roadworthy to regain user trust.
The aftermath
Toubba's accomplishment astatine LastPass successful 2022 was followed by a dependable watercourse of company-wide changes. With the precise foundations of LastPass rocked by the information breach, Toubba told maine that the steadfast has been "steadily astatine work" rebuilding from the crushed up.
"I similar to archer customers that it's easier to archer them what hasn't changed successful the past 3 to 4 years than what has," Toubba said.
Also: The champion password managers of 2026: Expert tested
Changes focused connected 3 areas: people, processes, and technology. Funds were poured into the exertion itself, the firm's infrastructure, and a displacement to the cloud. Security controls were implemented crossed each system.
Given the quality factor's centrality to the information incident, the caller CEO besides focused connected assessing the information posture of worker devices.
"We importantly changed the exertion stack of each of our employees, [such as] the information capabilities that are connected their devices, and past issued caller devices to each employees successful the signifier of laptops that were wholly locked down," Toubba commented. "I'm a Mac user, and arsenic an example, I can't adjacent spell to the App Store with my Mac -- I tin lone usage corporate-sanctioned applications, which are focused and validated."
Hardware authentication measures were rolled retired crossed the board, specified arsenic YubiKey dongles. LastPass besides overhauled its worker grooming program, formed a dedicated information team, and engaged 3rd parties for ongoing information audits, including penetration testing.
The aboriginal of LastPass
LastPass has made a fig of caller improvements, with caller services appearing for some user and concern markets. These see authentication controls to combat shadow SaaS and rogue AI application usage.
According to Toubba, LastPass volition proceed to equilibrium its attack for some markets, and portion determination is worth successful managing credentials, there's besides "real worth successful gaining overmuch broader visibility beyond credential absorption and the challenges [businesses] have."
Also: The champion antivirus bundle of 2026
Enhanced information practices, improvements nether the hood, and accrued transparency are each changes successful the close direction, but are they capable to re-earn customers' trust?
I asked Toubba wherefore customers should spot LastPass now. This was his response:
"In concern and successful life, erstwhile you're confronted with thing beauteous meaningful, you benignant of person to inquire yourself a question: what americium I going to do? What's my goal? Am I going to effort and rotation this, oregon americium I going to usage this arsenic a forcing relation for change?
"We did the latter. We made a multi-year, multi-million-dollar investment, and we went beyond what would usually beryllium expected of a modular information program. We are arrogant of the exemplary enactment that does not conscionable pb to being much secure, but leads america to starring wrong the manufacture of what leadership, transparency, and the sharing of accusation looks like. [...] So, I would accidental the caller and improved LastPass, if you will, is 1 that puts information astatine the precise bosom of what we bash for the consumer."
English (US) ·