LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfolded

The impact of the LastPass breach was felt by customers as late as December 2024

Emma Woollacott's avatar
By
published
in News
LastPass logo pictured on a smartphone screen alongside earbuds and car key.
(Image credit: Getty Images)

Password manager provider LastPass has been hit with a £1.2 million fine for failing to prevent a massive data breach.

The Information Commissioner's Office (ICO) found that a combination of two incidents over two days in August 2022 put more than 1.6 million customers at risk.

According to the data protection watchdog, the company “failed to implement sufficiently robust technical and security measures”.

Commenting on the fine, information commissioner John Edwards said LastPass failed customers and “fell short” on expectations that the company would employ robust measures to protect personal data.

Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use,” he said.

“However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced," Edwards added.

“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today."

The LastPass breach explained

The LastPass breach unfolded in two separate phases. In the first incident, a hacker compromised an employee’s corporate laptop and gained access to the company’s development environment.

While no personal information was taken, encrypted company credentials were - which, if decrypted, would allow access to the company’s backup database.

LastPass took steps to mitigate the hacker’s activity, but thought the encryption keys were safe, as they were stored in the account vaults of four senior employees, outside the area accessed by the hacker.

However, the next day, the hacker targeted one of these employees, gaining access to their personal device via a known vulnerability in a third-party streaming service.

The hacker then installed a keylogger, capturing the employee’s master password and bypassing multi-factor authentication (MFA) using a trusted device cookie. This gave access to the employee’s personal and business LastPass vaults, which were linked using a single master password.

Thereafter, the threat actor gained access to the employee’s business vault, which contained the Amazon Web Service (AWS) access key and decryption key. When combined with information taken the day before, this allowed the hacker to extract the contents of the backup database containing the customers' personal data.

LastPass’ ‘zero knowledge’ system prevented disaster

As the ICO noted in its post-mortem of the incident, the threat actor responsible for the breach wasn't able to decrypt encrypted passwords and other credentials.

This was thanks to LastPass’ use of a ‘zero knowledge’ encryption system, whereby the master password required to access a password vault is stored locally on a customer’s own device and never shared with LastPass.

While this represented a reprieve for the company and users, the impact of the breach was felt by customers as late as December 2024.

A probe by crypto investigator ZachXBT found hackers stole $12.38 million in cryptocurrency from LastPass users on 16 and 17 December 2024.

Chris Linnell, associate director of data privacy at Bridewell, said the ICO fine represents a “big moment” for the industry and highlights the need for more robust processes at password managers.

These platforms hold the keys to the castle for enterprises and consumers alike, and security practices at providers should reflect that.

"It’s not the largest penalty we’ve seen under John Edwards, but it definitely plays into public expectations - people trust password managers to keep them safe, so when they fall short, it makes headlines," he said.

"For service providers, this is a reminder that security isn’t just about the product itself. You need strong information security and privacy frameworks in place, and you can’t ignore the less obvious risks - backups, secondary databases, and other systems that attackers often target.”

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

Latest
You might also like
View More ▸