The Setup

Four Months In

April 2022. Karim Toubba signs on as CEO of LastPass - a company sitting on the credentials of millions of people and 100,000 businesses. The job description: lead one of the world's most trusted security brands into a new era of identity management. He has done this before. He built Kenna Security into a category-defining company, sold it to Cisco, and spent a year integrating it. He knows the terrain.

Then August arrives. A threat actor compromises a developer's account. The breach is real, the data is sensitive, and the world's press finds the story irresistible: the password manager got hacked. Toubba had been on the job for four months.

By virtue of the data we hold, we're going to have a pretty juicy target on our back in perpetuity.

Karim Toubba, CEO of LastPass

What followed wasn't an exit. It was the beginning of something else entirely - a reconstruction that Toubba would later describe, with dry understatement, as easier to measure by what didn't change than by what did. The answer, it turned out, was almost nothing. The company was essentially rebuilt from the inside out: new infrastructure, new security teams, new certification stack, new independence from parent company GoTo, and a new direction.

Toubba took the public beating. In his own words, he acknowledged that the company's communication during the incident was too slow, too infrequent, and too unclear - even when their instinct to verify facts before publishing was reasonable. He called it the hardest balance in crisis management. He didn't hide from the criticism. He owned it at Infosecurity Europe, in CybersecurityDive interviews, and on LinkedIn posts that attracted thousands of comments, many of them not flattering.

$110M Total Funding
LastPass
800+ Employees
Worldwide
8% Renewal Rate Drop
Q1 2023 Post-Breach
92% IT Leaders Say Passkeys
Improve Security

Numbers that defined a crisis - and a comeback

The Arc

From Environmental Science to the Identity Wars

The career that brought Toubba to LastPass doesn't run in a straight line. He graduated from UC Davis with a degree in environmental science - not computer science, not engineering - and started as a technical support engineer at NetManage in 1996. The path from there to CEO of one of the world's most scrutinized security companies winds through six companies over nearly three decades.

At Digital Island, he oversaw an $850 million services and products group. At Ingrian Networks, he drove annual revenue past $22 million in under 30 months. At Juniper Networks, he ran the Security Business Unit's products and strategy for a billion-dollar business. Each stop added a layer: technical depth, product sense, market strategy, commercial scale.

The Kenna Security chapter is where the Toubba template becomes visible. Risk I/O - later renamed Kenna Security - was a startup trying to make sense of the overwhelming volume of vulnerability data that security teams were drowning in. Toubba came in as CEO and helped the company build an entirely new category: Risk-Based Vulnerability Management. The idea was to stop treating all vulnerabilities as equally urgent and start using machine learning and real-world threat data to prioritize what actually needed fixing. Cisco agreed. The acquisition closed in July 2021.

Toubba's environmental science degree didn't predict a cybersecurity career. What it did suggest was someone comfortable working in systems with incomplete information, complex interdependencies, and the constant pressure to act before all the data is in.

He spent about a year at Cisco overseeing the Kenna integration alongside the company's EDR and XDR portfolio before the LastPass opportunity presented itself. The pattern is consistent: find a market at an inflection point, build the product that defines what comes next, then move.

The Work

What a Multi-Million Dollar Security Overhaul Actually Looks Like

After the breach, Toubba didn't issue a press release and wait for the news cycle to move on. He conducted a listening tour with more than 200 business customers. He assembled new security teams under a Chief Secure Technology Officer. He pushed LastPass toward certifications it didn't have: SOC3, BSI C5, TRUSTe, and Google Play's Independent Security Review. Employees were moved to company-provided devices. More stored data was encrypted. YubiKey authentication was implemented to prevent unauthorized hardware access.

The separation from GoTo - which owned LastPass as part of its portfolio - was completed in May 2024. LastPass became fully independent, with its own infrastructure, its own capital structure, and its own strategic runway. Toubba called it a new era. Given the previous two years, that phrase earned its weight.

The Transformation Arc
From breach to independent company in under 24 months
Apr 2022 - Toubba joins as CEO
Aug 2022 - Security breach disclosed
200+ Customers on listening tour
$M+ Multi-year security investment
May 2024 - Full independence from GoTo

Toubba is characteristically direct about what the company got wrong. The lesson he returned to most often wasn't the technical failure - it was the communication failure. His prescription: a steady, predictable cadence of updates, even before all the facts are confirmed. Silence, he found, reads as evasion. That kind of self-assessment, delivered publicly and without hedging, is rarer than it should be in corporate crisis management.

We have used this opportunity to invest in security - the irony of this is that we'll be a much stronger and more secure company.

Karim Toubba, 2023
The Thesis

Passwords Are a Holdover. Toubba Is Building What Comes After.

The company called LastPass is increasingly uncomfortable with the name. Not literally - but strategically, Toubba is steering it away from the "manager" framing and toward something bigger. Identity and access management. Shadow SaaS visibility. Passwordless authentication. The whole constellation of problems that emerge when every employee uses dozens of apps, most of them unauthorized, most of them accessed with a reused password.

Toubba's number: 75% of credentials are reused. People do it because it's easy. Attackers exploit it because it works. A vast majority of breaches start with the identity layer - which means the solution has to live there too. His argument is that password managers were always a stopgap, a smarter way to do a fundamentally fragile thing. Passkeys are the escape hatch. Device biometrics tied to a cryptographic key, with no shared secret to steal.

Toubba's Security Thesis
Identity is the Perimeter
Zero Trust Architecture
Passwordless Auth
Passkeys + Biometrics
Shadow SaaS Visibility
Adaptive MFA
Credential Vaulting
Zero-Knowledge Security
IAM Platform

The eight pillars of how Toubba is repositioning LastPass beyond passwords

At RSAC 2025, Toubba outlined LastPass's new "Secure Access Experiences" framework - a platform play that includes SaaS monitoring to give organizations visibility into what applications their employees are actually using. The pitch: for the first time, administrators can see the full picture - what apps are running, who's using them, and whether those apps meet security standards. The configuration time? About three minutes, he says. The cynical read is that every security vendor claims simplicity. The more generous read is that Toubba built a category once before by finding the gap between what enterprises needed and what the market was selling. He appears to be looking for the same gap again.

There are quite a few password managers in the market, but we recognised a couple of years ago that the world has changed drastically.

Karim Toubba, SecurityBrief, 2025
The Person

Beyond the Security Perimeter

Toubba lives in Orinda, California - Contra Costa County, east of Oakland - which puts him about 3,000 miles from the LastPass headquarters on High Street in Boston. Remote leadership is not new to him; his career has always spanned geographies. He built business in EMEA from the US, ran global product teams at Juniper, and now leads a company whose customers are distributed across 190 countries.

He sits on the board of Alternative Family Services Group, a California-based nonprofit focused on supporting children and families - a commitment that predates his LastPass role and runs alongside it. It's the kind of detail that doesn't make the press release but says something about how someone chooses to spend their non-billable hours.

His LinkedIn and Twitter (@ktoubba, since 2009) reflect a consistent preoccupation: the tension between security rigor and user experience. His Entrepreneur.com columns have argued that zero trust is the cybersecurity shift every business needs to make, and that most companies have a glaring hole in their security strategy because they're still thinking inside the perimeter. He writes with the directness of someone who has sat in enough board rooms to know that abstract frameworks don't survive contact with a stretched IT team managing 200 SaaS applications.

The UC Davis environmental science degree is a detail worth sitting with. Toubba didn't grow up in a computer lab. He came at technology sideways - through systems thinking, through the problem-solving habits that come from a discipline that deals in complex, interconnected, often invisible forces. That framing - security as an ecosystem, not a wall - threads through his public statements about identity, trust, and the end of perimeter-based security.

On the Record

In His Own Words

Security is an evolution. It never ends - because your adversaries are equally evolving.

Karim Toubba

A vast majority of attacks start with the identity.

SecurityBrief Interview

Our challenge as vendors is to build security that's both stronger and easier to use.

Karim Toubba

I accept the criticism and take full responsibility for our communications during the incident.

Post-Breach Statement, 2023

I've been a part of the security community for over 25 years - and information sharing is the lifeblood of it.

Infosecurity Magazine

Even with this incident, as high profile as it was, the value proposition is still extremely valuable.

CybersecurityDive, 2023
What's Next

2026 and the Passwordless Bet

LastPass opened 2026 with a formal expansion of its mission - "Secure Access Essentials" became the new organizing framework, built around the reality that modern organizations run on browser-based apps, AI tools, and SaaS subscriptions that nobody's IT department fully controls. Toubba's bet is that the market for identity and access management is still early-stage in its shift away from on-premise, credential-based thinking.

The February 2026 TechRadar interview captured the flavor of where he's operating now - pragmatic, specific, and committed to the idea that LastPass has earned back the conversation with customers. The headline he chose to characterize the past four years: it's easier to say what hasn't changed than what has. In context, that's not evasion. It's a claim about the scope of a rebuild that most outside observers underestimated when it was happening.

Ninety-two per cent of IT leaders say passkeys will improve their security posture. That level of awareness is critical to driving adoption. - Karim Toubba, 2026

The industry is watching. LastPass's renewal rate took an 8% hit in Q1 2023. The arc since has been a slow, deliberate rebuild of credibility - certifications, infrastructure transparency, new product capabilities, and a CEO who seems constitutionally unable to give a vague answer when a direct one is available. That kind of leadership is the wager. Whether the market matches the ambition is the story still in progress.

What's clear is that Toubba is not running the company that existed when he arrived. The people, the infrastructure, the strategy, and the story are different. He found an organization at an inflection point - admittedly a sharper one than anticipated - and did what he has done before: built toward what comes next rather than defending what came before.