LastPass Hack: To Disclose or Not to Disclose?

Millions of Users

LastPass has users all over the world—an estimated 33 million of them, in fact. The company offers both consumer and business products and reportedly turned over $200 million last year.

In terms of its user base, LastPass occupies a relatively comfortable position at the top of the password manager market, above rivals such as 1Password (which boasts 15 million users) and Dashlane (which reports over 10 million users).

The company was acquired by Boston-based software firm LogMeIn (now GoTo) in 2015. However, after GoTo was itself acquired by a private equity firm last year, LastPass announced it would be going solo.

LastPass users can store their passwords and other information in a “vault”. As with most password managers, LastPass users only need to remember one “master password” to access their vault. The software can also autofill password fields via its browser extensions and mobile apps.

Is LastPass Secure?

LastPass vaults are encrypted via the widely-used AES-256 standard. The company also states that it protects user data using password key derivation standard PBKDF2, cryptographic hash algorithm SHA-256 and salted hashes.

In order to allow users to sync their passwords across devices, encrypted passwords are stored on LastPass’ servers and decrypted at the device level.

Some security advocates, who baulk at the notion of storing their most precious personal information on the cloud (which is, after all, simply “someone else’s hard drive”), might eschew LastPass in favour of open-source password management software, such as KeePass or Bitwarden.

For most consumers, however, LastPass is probably secure enough—on paper.

Previous Security Incidents

LastPass has been hit by security issues before. Even so, it appears that no LastPass user’s vault data or master password has ever been compromised.

The company’s first publicly announced security issue was in 2011. LastPass advised all users to change their master passwords following a “network traffic anomaly” that suggested an outsider was pulling data from the company’s systems. 

Speaking to PC World after the incident, the company’s then-CEO Joe Siegrist stated that the attacker had not taken “a lot of data”, but nonetheless had extracted “enough to cover people’s usernames and [encrypted] passwords”.

“We’re trying to look at what is the worst possible case and how we can mitigate any risks coming out of that,” Siegrist said. “Could this be just some kind of weird glitch? It could.”

A similar incident occurred in 2015 when LastPass told users that its team had “detected and blocked” suspicious activity that resulted in the compromise of “account email addresses, password reminders, server per user salts, and authentication hashes”.

Again, the attack did not affect encrypted vault data. Nonetheless, LastPass implemented additional verification checks against users that did not have multi-factor authentication enabled.

The company’s browser extension and apps have been also been found to have security vulnerabilities on several occasions, including last March, when the Android app was criticised by a security researcher for containing third-party trackers.

To Disclose or Not to Disclose?

Addressing “all LastPass customers” in a blog post on 25 August, CEO Karim Toubba disclosed that an “unauthorised party” had gained access to “portions of the LastPass development environment” and stolen some LastPass source code and technical information.

As with all of the company’s previous security incidents, the incident does not appear to have affected any vault data or master passwords.

So the question arises: Did LastPass really need to disclose this incident? Under data breach notification laws, the disclosure was arguably unnecessary in a legal sense. 

Data breach rules vary considerably worldwide. In the UK and the EU, the GDPR sets comparatively strict rules for notifying regulators and individuals about data breaches compared to most other jurisdictions. 

Yet under the GDPR, only breaches involving personal data require notification. The revent LastPass incident only involved the company’s source code and “proprietary information”—which, presumably, does not meet the GDPR’s definition of “personal data”.

In other regions, including many US states, data breach disclosure rules are more liberal, often requiring one or more specific categories of personal information (such as a person’s email address and password) to be breached before requiring notification.

Data protection law aside, LastPass might be subject to certain cybersecurity breach disclosure requirements in one or more of the markets in which it operates. However, these laws normally require disclosure to a regulator rather than directly to individual users in the first instance.

If LastPass wasn’t legally obliged to disclose this security incident, the company  would have needed to weigh up ethical, technical and reputational factors in deciding whether to notify its customers.

There might be a chance that—armed with the proprietary information stolen from LastPass’ development environment—the attacker goes on to commit further attacks that do compromise people’s vault data. 

In that eventuality, early disclosure might end up looking better from a public relations perspective.

However, given the company’s relatively long list of historic security incidents—none of which appear to have significantly impacted any LastPass user’s security—it’s not immediately clear whether disclosing an issue of this type would bring a net benefit to the password manager’s reputation.

There’s a thin line between being transparent and invoking unnecessary panic.