LastPass has been fined £1.2m ($1.6m) by the UK’s data protection watchdog for security failings that led to a major 2022 data breach.
The Information Commissioner’s Office (ICO) judged that the password management provider failed its customers by not putting in place sufficiently robust technical and security measures.
The regulator admitted there’s no indication that threat actors were able to decrypt customer passwords. That’s because the master password required to access password vaults is stored locally on customers’ devices
However, an estimated 1.6 million users were affected by the breach. Personal information including customer names, emails, phone numbers, and stored website URLs were apparently compromised.
Read more on the LastPass breach: LastPass Hackers Stole Source Code
Information commissioner, John Edwards, said the watchdog continues to recommend the use of password managers by businesses and consumers as a way to improve identity and access management (IAM).
“However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced,” he added.
“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today."
How the LastPass Data Breach Unfolded
The breach involved several stages:
- A threat actor compromised a LastPass employee’s corporate laptop to access the firm’s development environment and steal encrypted corporate credentials to a backup database
- LastPass believed encryption keys were safe as they were stored in another location
- However, the same hacker targeted a senior employee with access to the decryption keys, after compromising their device by exploiting a known vulnerability in a third-party streamer
- They installed a keylogger on the device which captured the employee’s master password, and they bypassed MFA with a trusted device cookie
- The hacker accessed the employee’s personal and business LastPass vaults, linked under the same master password
- Inside the business vault, they found AWS access and decryption keys
- With this information and the previously stolen encrypted credentials they were able to extract the contents of the backup database containing personal information
Chris Linnell, associate director of data privacy at consultancy Bridewell, pointed to several lessons learned.
“For service providers, this is a reminder that security isn’t just about the product itself,” he explained. “You need strong information security and privacy frameworks in place, and you can’t ignore the less obvious risks – backups, secondary databases, and other systems that attackers often target.”
The breach also shows why acceptable use policies matter, Linnell added.
“Staff need clear guidance on what they can and can’t do with company devices,” he said. “In this case, the vulnerability came from a third-party streaming service – approved or not – which also serves as another reminder how much risk sits in the supply chain. We’ve seen this before, and it’s not going away."