Frankly Speaking - Analyzing the LastPass hack pt. 2

Breaking down their disclosure

Hope everyone is having a restful holiday! I’m still running a sale for paid subscriptions until the end of the year. Thanks for all the support! If you want to support me more, you can get it for 50% off.

LET’S BE FRANK

In my last newsletter, I talked about my thoughts on the LastPass hack. There was some confusion on where I drew certain conclusions, and in general, people wanted me to break down the official announcement to better understand my thought process, so here it is!

In general, I believe the announcement was purposefully vague and tried to downplay the severity of the breach. It seems like other security experts share my beliefs. Although I believe that LastPass’s intentions were not malicious and meant to fully evade, I do believe that it’s the company’s job or their PR team’s job to minimize fallout. In many ways, I feel for the LastPass’s security team. They are doing their best. It’s important to know that the security team rarely has strong influence on external communications, which is primarily decided by the leadership/executive team who lack full context.

However, I described in the other post that there are some mitigations in place, such as MFA for important sites (hopefully, you don’t also double up your LastPass as your MFA device…) and having critical sites ramp up their fraud and account takeover detection as a result of this.