At LastPass, a security overhaul is underway in a monthslong effort to win back customer trust after the password manager was hit by a cyberattack in August 2022 that unraveled into one of the most notorious intrusions last year.
“We invested across platforms, infrastructure and systems — we believe all of which will mean a more modern and secure customer,” LastPass CEO Karim Toubba said via email.
“This has been a multiyear and multimillion-dollar investment. We’re still looking for ways to continue to invest and we’re not done,” Toubba said.
This “systemic change,” as Toubba describes it, is critical for customers’ security and the company’s future outlook.
With some security improvements complete and others still underway, a clear crisis of confidence among some of LastPass’ customers lingers. The scars of the comprehensive breach that exposed a cloud-based backup of all customer vault data remain.
“LastPass has seen about a 9% increase in customer churn since the end of Q4 2022,” Toubba said.
Toubba declined to say how many businesses currently use LastPass, but in a June interview he told Cybersecurity Dive the company had about 115,000 business customers after the customer renewal rate took a hit of about 8% in the first quarter of 2023.
“We’re now seeing evidence that our customer churn rates are improving and we anticipate being back to pre-security incident numbers in early 2024,” Toubba said.
The company’s cybersecurity makeover, a plan it first shared in March,touches a large swath of the alphabet soup of security tool acronyms.
A cloud security posture management (CSPM) layer was added to all cloud infrastructure and the company switched to an endpoint detection and response (EDR) system it deemed more effective.
The company also invested in a secure access service edge (SASE) deployment and improved logs and alerts in its security orchestration, automation and response (SOAR) platform, LastPass said last week in an update.
“We didn’t just address the issues that were the cause of the breach, we literally looked at everything and made investments across the board,” Toubba said.
It’s unclear how enterprise customers will respond to these initiatives.
The true impact of these changes depends on how LastPass’ infrastructure is architected, according to Allie Mellen, principal analyst at Forrester.
“However, the security updates overall are positive —authentication and access improvements, software bill of materials initiatives, new cloud security investments, and data protection updates are efforts every company should invest in,” Mellen said via email.
“Ultimately, these updates are technical, and will be meaningful to security practitioners and LastPass partners, but are likely to have little effect with consumers beyond awareness that LastPass has made broad security enhancements,” Mellen said.
Other security improvements, according to LastPass, include:
- A move to a new source code management system.
- A new policy, still rolling out, that will eventually require all customers to use longer and more complicated master passwords.
- A hardening of key component rotations for Okta and Microsoft Azure AD.
- Improved recovery options for one-time passwords.
- An initial deployment of FIDO2 hardware security keys.
- A reset of security information and event management (SIEM) Splunk tokens and a new SIEM integration deployed in mid September that stores access tokens in encrypted form.
- Code-safety initiatives for SBOM and elevated compliance with supply chain levels for software artifacts.
LastPass did not disclose the vendors it uses or the configuration of its security architecture.
