Communications Litigation Today was a Warren News publication.
'Exhaustive Investigation'

LastPass Has Seen No 'Threat Actor Activity' Since Oct. Breach, Says CEO

Password management company LastPass hasn’t seen any "threat actor activity,” since Oct. 26, the company said in a Wednesday email directing customers to a blog post updating them on steps it took since the data breach it disclosed Dec. 22. In the post, CEO Karim Toubba referenced an “exhaustive investigation” and encouraged users to review the security bulletin and make any necessary changes to their accounts.

LastPass declared closed August breach incident -- when an employee’s corporate laptop was compromised -- after determining no customer data or vault data was taken during the incident. It "later learned that information stolen in the first incident was used to identify targets and initiate the second incident,” Toubba said. The company took remediation actions to address the second breach.

Last month, a third plaintiff filed a motion to consolidate cases under U.S. District Judge Denise Casper in District Court for Massachusetts in Boston in a class action against LastPass parent company Go To Technologies alleging negligence, breach of contract and unjust enrichment (see 2302080046).

Plaintiffs in the class action said LastPass attempted to shift blame from the company to its subscribers, noting the Dec. 22 blog post said master passwords weren’t among the information stolen in the breach “because the master password is never known to LastPass and is not stored or maintained by LastPass.” A plaintiff called that a “shameless attempt” by the company to shift the blame of the negative impact on users by saying “it would be extremely difficult to attempt to brute force guess master passwords” for customers “who follow our password best practices.”

In the Wednesday blog post, Toubba said neither incident in the data breach “was caused by any LastPass product defect or unauthorized access to -- or abuse of -- production systems.” Instead, “the threat exploited a vulnerability in third-party software, bypassed existing controls, and eventually accessed non-production development and backup storage environments.”

Toubba said the company has “heard and taken seriously the feedback that we should have communicated more frequently and comprehensively throughout this process.” The duration of the investigation “left us with difficult trade-offs,” he said, “but we understand and regret the frustration that our initial communications caused for both the businesses and consumers who rely on our products.” He said the company is “determined to do right by our customers and communicate more effectively.”

LastPass shared the technical information with law enforcement and its threat intelligence and forensic partners, but the identity of the “threat actor and their motivation remains unknown,” Toubba said. The hacker made no contact or demands and there was no “credible underground activity” indicating the individual is marketing or selling information obtained during either breach.