Password manager provider LastPass has been hit with a £1.2 million fine for failing to prevent a massive data breach.
The Information Commissioner's Office (ICO) found that a combination of two incidents over two days in August 2022 put more than 1.6 million customers at risk.
According to the data protection watchdog, the company “failed to implement sufficiently robust technical and security measures”.
Commenting on the fine, information commissioner John Edwards said LastPass failed customers and “fell short” on expectations that the company would employ robust measures to protect personal data.
“Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use,” he said.
“However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced," Edwards added.
“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today."
The LastPass breach explained
The LastPass breach unfolded in two separate phases. In the first incident, a hacker compromised an employee’s corporate laptop and gained access to the company’s development environment.
While no personal information was taken, encrypted company credentials were - which, if decrypted, would allow access to the company’s backup database.
LastPass took steps to mitigate the hacker’s activity, but thought the encryption keys were safe, as they were stored in the account vaults of four senior employees, outside the area accessed by the hacker.
However, the next day, the hacker targeted one of these employees, gaining access to their personal device via a known vulnerability in a third-party streaming service.
The hacker then installed a keylogger, capturing the employee’s master password and bypassing multi-factor authentication (MFA) using a trusted device cookie. This gave access to the employee’s personal and business LastPass vaults, which were linked using a single master password.
Thereafter, the threat actor gained access to the employee’s business vault, which contained the Amazon Web Service (AWS) access key and decryption key. When combined with information taken the day before, this allowed the hacker to extract the contents of the backup database containing the customers' personal data.
LastPass’ ‘zero knowledge’ system prevented disaster
As the ICO noted in its post-mortem of the incident, the threat actor responsible for the breach wasn't able to decrypt encrypted passwords and other credentials.
This was thanks to LastPass’ use of a ‘zero knowledge’ encryption system, whereby the master password required to access a password vault is stored locally on a customer’s own device and never shared with LastPass.
While this represented a reprieve for the company and users, the impact of the breach was felt by customers as late as December 2024.
A probe by crypto investigator ZachXBT found hackers stole $12.38 million in cryptocurrency from LastPass users on 16 and 17 December 2024.
Chris Linnell, associate director of data privacy at Bridewell, said the ICO fine represents a “big moment” for the industry and highlights the need for more robust processes at password managers.
These platforms hold the keys to the castle for enterprises and consumers alike, and security practices at providers should reflect that.
"It’s not the largest penalty we’ve seen under John Edwards, but it definitely plays into public expectations - people trust password managers to keep them safe, so when they fall short, it makes headlines," he said.
"For service providers, this is a reminder that security isn’t just about the product itself. You need strong information security and privacy frameworks in place, and you can’t ignore the less obvious risks - backups, secondary databases, and other systems that attackers often target.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Most passwords take a matter of minutes to crack
- Passwords are a problem: why device-bound passkeys can be the future of secure
- How to create a secure password policy
-
OpenAI says future models could have a ‘high’ security riskNews The ChatGPT maker wants to keep defenders ahead of attackers when it comes to AI security tools
-
Why Dell PowerEdge is the right fit for any data center needAs demand rises for RAG, HPC, and analytics, Dell PowerEdge servers provide the broadest, most powerful options for the enterprise
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
Cyber budget cuts are slowing down, but that doesn't mean there's light on the horizon for security teamsNews A new ISC2 survey indicates that both layoffs and budget cuts are on the decline
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gainsNews AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals, and the company has already unlocked significant benefits from the technology internally.
-
OpenAI hailed for ‘swift move’ in terminating Mixpanel ties after data breach hits developersNews The Mixpanel breach prompted OpenAI to launch a review into its broader supplier ecosystem
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
