LastPass, and the Foundation of Trust

So, LastPass has famously dropped the ball. Late December 2022, tucked into the holiday season, LastPass announced that threat actors have obtained access to backups of encrypted vaults, and can attempt to brute force your master password to get all of the juicy secrets inside. More recently, the full extent of the breach is coming to light. Although the technical details are integral to making decisions, the communications by LastPass has been completely taken over by legal. The LastPass communications team has not released a blog since November, deeply entrenching the emerging tensions between LastPass's lawyers and the enterprise and personal customers (like me), who were affected. Password managers are a product whose value propositions are tied directly to trust and mutual understanding, and the current debate underscores the issues that arise when an open source community interacts with a closed source corporate bureaucracy.

As the Open Source Security Podcast does a good job in highlighting, the glaring issue is that LastPass's current communications strategy is actively confusing to their most important customers. When any security product fails, the response is going to be determined by the nature of the breach. Building clear next steps relies on clear communication between the technical teams of both sides. In this case, developers responsible for rotating API keys and updating credentials aren't even clear about what exactly the breach even was. Does the threat actor have access to vault metadata? If so, what did "encrypted vault" ever really mean? From what I can tell, a major contributor to the general sense of confusion is that developers have lost faith that the words used by LastPass in their promotional content and their crisis response are the same words that they use in their day to day life.

Trust relies on clear and open communication. The sense is that LastPass is prioritizing mitigating backlash by mediating the conversation that needs to happen about the consequences of the breach. In other words, LastPass has entered a vicious cycle of lying to their most affected customers, and rather than rebuilding developer confidence, they've turned their most valuable customers into their most outspken critics.