The first rule of being in a hole is, when you’re in a hole, stop digging. LastPass apparently hasn’t learned this.
Today, LastPass sent email to all of its customers with an update about its recent security incident. The email linked to a blog posting with new details about the incident. In the blog posting, they continue to obfuscate the fact that the incident was caused by their failure to follow minimal information security best practices and that they still even now aren’t committing to following them.
Here are two excerpts (with emphasis added) from the blog posting:
Incident 1 Summary: A software engineer’s corporate laptop was compromised, allowing the unauthorized threat actor…
Incident 2 Summary: The threat actor targeted a senior DevOps engineer by exploiting vulnerable third-party software. The threat actor leveraged the vulnerability to deliver malware, bypass existing controls
Note that the description of the first incident says that a laptop was compromised, while the description of the second incident says that an engineer was compromised, and doesn’t mention what hardware was involved. That’s because, as I wrote yesterday, that hardware was the engineer’s personal laptop. They don’t admit that here because of how bad it makes them look. It makes them look bad because it is, in fact, very bad.
And yet they are still not committing to ensuring that all employees with production access are required to use only corporate-controlled and -secured computers when accessing LastPass internal resources.
I am as astounded by this omission today as I was yesterday. I simply cannot comprehend why they were allowing people with production access to use non-corporate computers before this incident, and I find it even more incomprehensible that they haven’t figured out as a result of this incident that they need to change this.
I know I keep hammering on this, but it couldn’t be clearer at this point that LastPass doesn’t understand security and you shouldn’t be using their product.