As much as LastPass seems to be trying to pin this on a single engineer, and not a broad vuln, the fact that they have such lax policies around access management, especially for a password management system, tells me enough I need to know never to use them again.
Waiting for the rebrand and the incoming lawsuits.
Yep. The symptom being that a problem of this scale can be caused by a single engineer, which points to the root cause being deeper and potentially systemic.
The question for future trust is: what's been / being done to prevent the same thing from happening again due to another single engineer?
Preventing this thing from happening costs a lot of $$$, so pretty much everyone just "accepts the risk" seeing that probability of something like this happening to your company (during your tenure) is still super low. All companies with somewhat robust security posture I know have had a string of incidents in the past, that seems to be the only thing that can motivate to put $ in security.
It's not really very expensive to issue employees a laptop (which costs a percent or two of an engineers annual salary) and tell them "All work must be done on the work laptop, no personal files/software allowed on the work laptop". For a little more money, they can add active management of the work devices, but just keeping work and personal device use separate would have prevented this.
There is, but in this case it was the employee's personal software that allowed the back door. It's ludicrous that LastPass allowed employees to put sensitive data (i.e. their password manager) on personal computers with, apparently, no restrictions on what software they run.
Closing the barn door doesn't guarantee that the horses can't escape, but when you don't even have a barn door, it's hard to blame the stable boy when the horses get out.
Yeah, this is the equivalent of blaming an intern for nuking the prod database. Maybe they were careless of maybe that shouldn't be possible to begin with.
Waiting for the rebrand and the incoming lawsuits.