It’s been over a year and a half since LastPass suffered back-to-back high-profile hacks, and the the company now says it split from its parent company, GoTo.
GoTo announced that it disable LastPass as its own company in December 2021, six years later buy the business. Now, the password vault company will operate under a shareholder holding company called LMI Parent.
In September 2023, security researchers said that several clues suggested that this hack was used to steal more than $35 million from the crypto wallets of over 150 victims. One such clue was apparently that each of these customers had stored their “seed phrase” – a digital key required to access cryptocurrency investments – in LastPass.
And in January, LastPass started to apply a minimum of 12 characters for master passwords for new and existing customers when resetting. This is considered the industry minimum for decent security, and although LastPass already defaults to 12 characters, it would allow customers to set shorter passwords anyway, which, among other questions, security experts widely criticized following his double failings.
The company appears to be trying to show that it has reformed. It said it created a “dedicated threat intelligence team” last year and that its recently hired leaders include a former vice president at McAfee.
But it was still the same CEO, Karim Toubba, who was running the company when it revealed the truth about its 2022 breach in bits and pieces over several months. He might have a lot of work to do if he wants to people to trust once again.
