It’s been over a year and a half since LastPass suffered back-to-back high-profile hacks, and the company now says it has separated from its parent company, GoTo.
GoTo announced that it would spin LastPass off as its own company back in December 2021, six years after buying the company. Now, the password vault company will operate under a shareholder holding company called LMI Parent.
LastPass’ most recent troubles began in late 2022, when it admitted that hackers stole source code in August of that year and then disclosed in November that hackers gained access to “certain elements” of “customer information” but insisted their passwords were safe. That’s open to interpretation, as hackers made off with a copy of a backup of customer password vaults as well as encryption keys for at least some of them.
In September 2023, security researchers said several clues pointed to this hack being used to steal over $35 million from the crypto wallets of more than 150 victims. One of those clues was apparently each of these customers had stored their “seed phrase” — a digital key required for cryptocurrency investment access — in LastPass.
And in January, LastPass started enforcing a 12-character minimum for master passwords for new customers and existing ones when resetting. This is considered the industry minimum for decent security, and although LastPass already defaulted to 12 characters, it would let customers set shorter passwords anyway, which, among other issues, security experts widely panned following its dual breaches.
The company seems to be trying to show it’s reformed. It said it established a “dedicated threat intelligence team” last year, and its recently hired executives include a former McAfee VP.
But it’s still under the same CEO, Karim Toubba, who ran the company when it revealed the truth about its 2022 breach in bits and pieces over several months. It may have a lot of work to do if it wants people to trust it again.