[greatgib]

"engaged a leading cybersecurity and forensics firm."

This is the current trend each time there is a breach: let's pretend/show that we are serious and waste money taking "security" consultants, that will in the end probably tell us obvious things.

Pay more or listen to your own employees instead and eventually go hire competent engineers instead of funding bullshit jobs.

Lastpass is supposed to be in the "cyber security" field, so it is a little bit ridiculous to say that you need external help on this subject...

[meowface]

Security incident response is a very specialized role that the vast majority of not only ordinary tech companies but also security tech companies can't necessarily be expected to do entirely on their own in the event of suspicion of a serious breach.

This isn't hiring an auditor or consultant to recommend better security practices but more like a team of world-class detectives, investigators, and forensicists to figure out exactly what happened and how, what they might have done or taken, if they still have or could regain access, and, potentially, ideas as to who or what the culprits may be and what their objectives were. In particular, you want to have as much confidence as possible in what they may have done when they had access to your systems and that they have been effectively shut out and don't have any other access points/backdoors.

LastPass undoubtedly also has their own security incident response team - most companies probably should - but it's like the local county PD calling in the FBI when a serious or sophisticated crime occurs.

[aldarisbm]

Accidents can and will happen. If Lastpass conducted the review it wouldn't be seen as impartial, they need a third party to remain transparent.