LastPass Separates From Parent After Security Incidents

Password protection provider LastPass has completed its planned separation after nine years under parent company GoTo (formerly known as LogMeIn).

LastPass has announced that it has now separated from GoTo and will operate as an independent company as it focuses on cybersecurity going forward. It comes after a number of serious cybersecurity incidents in the past decade.

LastPass has been owned for nearly a decade by GoTo, which had acquired LastPass in October 2015 in a deal valued between $110m and $125m.

In December 2021 GoTo said it would spin out LastPass as a separate cloud security specialist.

Security incidents

But LastPass has experienced a number of public security incidents in the past decade that may have dented its reputation.

In June 2015, LastPass suffered a major data breach, in which the stolen data could have allowed hackers to guess weak master passwords.

The company said at the time that as a precaution it was prompting all users to change their master passwords.

Then in January 2016 a security researcher (Sean Cassidy) cast doubts on the security of LastPass when he claimed he had discovered a way of gaining login credentials, and even a two factor authentication code, through a phishing attack.

Cassidy went public and publish his exploit on Github after notifying the firm two months previously, but he was not satisfied by their response.

There was another security breach in August 2022, when it admitted hackers had stolen source code and other technical data that had been stored in a third-party cloud service shared by LastPass and GoTo.

In December 2022 LastPass CEO Karim Toubba admitted that the hackers had actually obtained the cloud storage access key and dual storage container decryption keys, and the hackers had used information stolen from the August breach to further compromise the companies’ shared cloud data

In September 2023, The Verge noted that security researchers had said several clues pointed to this hack being used to steal over $35 million from the crypto wallets of more than 150 victims.

The Verge also noted that in January, LastPass started enforcing a 12-character minimum for master passwords for new customers and existing ones when resetting. This is considered to be the industry minimum for decent security.

Although LastPass already defaulted to 12 characters, it would let customers set shorter passwords anyway.

Independent firm

Now LastPass is seeking to put its troubles behind it as “completes journey to become an independent company with enhanced cybersecurity focus and executive leadership team.”

It will be based in Boston., and said it remains committed to protecting digital identities through threat intelligence and deep cybersecurity expertise.

LastPass will operate as an independent company under LMI Parent, L.P. – a holding entity of the existing shareholder group (LastPass is owned by private equity sponsors Francisco Partners and Elliott Management).

It added that as part of LastPass’ evolution, the company is now “guided by an executive team with extensive cybersecurity experience, having recently appointed new chief product, chief marketing and chief information officers, each of whom are widely respected veterans in the industry and dedicated to a clear vision for the future that is grounded in innovation, security, privacy and trust.”

LastPass stated it stands on solid financial ground, and has also invested in establishing a dedicated threat intelligence team.

This specialised team is designed to protect the LastPass community by proactively monitoring for, analysing, and helping to mitigate potential threats targeting LastPass, its customers and the greater industry.

It said that in 2023, the team helped drive a 98 percent decrease in credentials offered for sale by information-stealing malware families.

“Our journey forward as an independent company is filled with excitement and gratitude,” said Karim Toubba, CEO, LastPass. “We are entering this new era with a strong market position, underpinned by an unmatched threat intelligence apparatus and an executive team with vast experience spanning multiple security fields.”

“Together, we are all committed to delivering solutions that never compromise on security, quality, or performance – helping to set new standards in the cybersecurity landscape on behalf of our valued customers, dedicated employees, and the industry for years to come,” Toubba concluded.