UK Slaps LastPass With Fine for 2022 Data Breach Affecting Millions
▼ Summary
– The UK Information Commissioner’s Office (ICO) fined LastPass £1.2 million for security failures that led to a 2022 breach affecting up to 1.6 million UK users.
– The breach involved two stages: an attacker first stole source code and encrypted credentials from a developer’s laptop, then used a compromised senior employee’s device to obtain a decryption key.
– The stolen data included customer names, emails, phone numbers, and encrypted password vaults containing website URLs, usernames, and passwords.
– The ICO and LastPass warn that while vaults were encrypted, weak master passwords could be cracked via brute-force attacks, potentially exposing stored data.
– The ICO emphasized that password manager companies must secure their systems, and users should employ strong, complex master passwords or passphrases.
The UK’s data protection authority has imposed a significant financial penalty of £1.2 million on LastPass following a major 2022 security incident. The Information Commissioner’s Office (ICO) determined the password management company failed to protect the personal data of up to 1.6 million UK users, which was stolen along with encrypted password vaults. This enforcement action underscores the critical responsibility companies have when handling sensitive customer information.
The breach unfolded in two stages beginning in August 2022. Initially, a hacker compromised a LastPass employee’s laptop, gaining entry to the company’s development environment. While no user data was taken at this point, the attacker stole source code, technical information, and encrypted company credentials. LastPass believed the incident was contained, as the decryption keys for these credentials were held separately in the vaults of four senior staff members.
This assumption proved incorrect. The very next day, the attacker targeted one of those senior employees by exploiting a known vulnerability in a third-party media application, widely reported to be Plex, installed on the employee’s personal device. This allowed the hacker to install malware, capture the employee’s master password with a keylogger, and bypass multi-factor authentication using an already-authenticated session cookie.
A critical security lapse amplified the damage: the employee used the same master password for both personal and business vaults. This enabled the attacker to access the business vault and steal an Amazon Web Services access key and a crucial decryption key. Armed with these keys and the previously stolen data, the attackers breached the cloud storage of GoTo, a related company, and stole LastPass database backups stored there.
The stolen customer data was extensive. It included encrypted password vaults, names, email addresses, phone numbers, and associated website URLs. LastPass CEO Karim Toubba explained at the time that the attacker copied basic account information, metadata like billing addresses and IP addresses, and a backup of customer vault data. This vault data was in a proprietary format containing both unencrypted website URLs and fully encrypted sensitive fields like usernames, passwords, and secure notes.
The ICO notes that the attacker did not decrypt the customer password vaults, a protection afforded by LastPass’s “Zero Knowledge” architecture where master passwords are known only to users. However, LastPass itself warned that the security of these encrypted vaults hinges entirely on the strength of a user’s master password. The company advised customers with weak passwords to reset them, as GPU-powered brute-force attacks can crack weak master passwords, potentially unlocking vaults. Some security researchers assert this has already occurred, linking decrypted vaults to cryptocurrency thefts.
Information Commissioner John Edwards stated that while password managers are vital security tools, companies providing them must rigorously secure their access controls and internal systems. He emphasized that LastPass failed in its obligation to meet customers’ reasonable expectation of protection, leading to the substantial fine. The ICO advises all organizations to reassess device security, remote work risks, and access restrictions.
For users, the incident reinforces fundamental security practices. Using a strong, complex master password is non-negotiable. While LastPass recommends passwords of at least 12 characters with a mix of letters, numbers, and symbols, experts suggest that for highly sensitive data like a password vault, a master password of at least 16 characters or a long, multi-word passphrase offers far greater resistance to offline cracking attempts.
In response to the fine, LastPass provided a statement expressing disappointment with the outcome but noting the ICO’s decision recognized steps the company has since taken to strengthen its platform. “Our focus remains on delivering the best possible service to the 100,000 businesses and millions of individual consumers who continue to rely on LastPass,” the company said.
(Source: Bleeping Computer)
