UK Imposes Fine on LastPass for Data Breach Affecting 1.6 Million Users

LastPass, a popular password management firm, faced a hefty fine of £1.2 million from the UK Information Commissioner’s Office (ICO) due to a security breach in 2022. This breach led to the theft of personal information and encrypted password vaults belonging to approximately 1.6 million UK users.

The ICO revealed that the breach originated from two interconnected incidents that occurred in August 2022. The first breach involved a hacker compromising a LastPass employee’s laptop and gaining access to the company’s development environment. Although no personal data was taken during this breach, the attacker managed to obtain the company’s source code, proprietary technical information, and encrypted company credentials.

Initially, LastPass believed the breach was contained as the decryption keys for the credentials were stored separately in the vaults of four senior employees. However, the attacker targeted one of these employees the following day by exploiting a known vulnerability in a third-party streaming application on the employee’s personal device.

Through this access, the hacker deployed malware, captured the employee’s master password using a keylogger, and bypassed multi-factor authentication using an already authenticated cookie. With the employee using the same master password for personal and business vaults, the attacker gained access to the business vault and stole crucial information.

Subsequently, the attackers breached the cloud storage firm GoTo and stole LastPass database backups stored on the platform. The stolen data included encrypted password vaults, names, email addresses, phone numbers, and website URLs associated with customer accounts.

LastPass CEO Karim Toubba explained that the threat actor copied basic customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses. Additionally, a backup of customer vault data containing sensitive fields such as website usernames and passwords was also copied.

While the ICO clarified that the attacker did not decrypt customer password vaults due to LastPass’ “Zero Knowledge architecture,” which does not store master passwords, LastPass had previously advised customers to reset weaker passwords for enhanced security.

Following the breach, LastPass recommended using strong, complex passwords of at least 12 characters with a combination of uppercase and lowercase letters, numbers, symbols, and special characters. For highly sensitive information like password vaults, a master password of at least 16 characters or a long multi-word passphrase was suggested.

Security Recommendations

Information Commissioner John Edwards stressed the importance of companies ensuring access controls and internal systems are robust against targeted attacks, especially for password managers. He highlighted the need for LastPass customers to have their personal information protected and criticized the company for failing to meet this obligation, resulting in the imposed penalty.

The ICO advised organizations to review their device security, remote work risks, and access restrictions. Customers were encouraged to adopt strong password practices and consider using longer master passwords or passphrases for heightened security.