Ethical Hacking News
LastPass, one of the world's most widely used password managers, has been fined £1.2 million by the UK Information Commissioner's Office (ICO) for its role in a two-part data breach in 2022 that compromised up to 1.6 million personal records. The incident highlights the importance of robust security measures and organizational protocols in protecting sensitive user data.
LastPass was fined £1.2 million by the UK's Information Commissioner's Office for a two-part data breach in 2022. A security failure allowed an attacker to access and exfiltrate sensitive information, including source code repositories. Insufficient policies, such as allowing staff to use the same master password across personal and business accounts, contributed to the breach. A miscommunication between teams led to the attack remaining undetected for months. The second incident involved a US-based senior DevOps engineer's compromised desktop PC, which was exploited to steal the company's AWS access key and decryption key. Customers' personal data, including email addresses, phone numbers, and physical addresses, were stolen in the breach. LastPass failed to implement robust technical and security measures to protect its users' data.
The UK's Information Commissioner's Office (ICO) has imposed a hefty fine of £1.2 million on password manager LastPass following a two-part data breach in 2022 that compromised the personal information of up to 1.6 million UK users. The incident, which occurred between August and October 2022, involved multiple security failures and miscommunications between LastPass's development team and its parent company GoTo.
According to the ICO, the first security failure occurred when an attacker gained unauthorized access to a company software developer's work-issued MacBook Pro, accessed the corporate development environment, and exfiltrated 14 out of around 200 LastPass source code repositories. The attacker was caught after triggering an AWS security alert following their attempts to manipulate access management commands that were beyond the developer's permission.
One of the major factors contributing to this breach was LastPass's policy at the time of the attack, which allowed and actively encouraged senior staff to link their personal and business accounts using the same master password. This included staff members who had access to sensitive corporate data. When the DevOps engineer's desktop was compromised via a Plex bug, the attacker gained access to LastPass company secrets.
Another organizational snafu led to the attack remaining undetected for months. AWS detected unusual activity and sent GuardDuty alerts to the LastPass distribution list between October 15 and 22, 2022. However, these notifications were not picked up by LastPass's security operations center (SOC) until November 2 due to a failure in the company's transition away from its former parent, GoTo.
The SOC email distribution list contained only one LastPass staffer, its director of software development engineering, and the rest comprised of GoTo employees. This outdated distro list and miscommunication between the two teams meant that the AWS notifications didn't reach their intended destination until 18 days after the first was sent.
In addition to these security failures, the ICO stated that LastPass failed to implement sufficiently robust technical and security measures to protect its users' data. The regulator believed that there were also organizational measures that should have reasonably been taken at the time to prevent such a breach.
The second incident took place on August 12, 2022, and involved the compromise of a personal desktop PC belonging to a US-based senior DevOps engineer. One of four individuals who had access to the decryption key for LastPass's server-side encryption with customer-provided key (SSE-C), the attacker gained remote access to this PC by exploiting CVE-2020-5741, a vulnerability in Plex Media Server. They installed a keylogger that stole the engineer's master password and later used it to bypass multi-factor authentication.
The attacker then used this access to acquire LastPass's AWS access key and decryption key, which together with SSE-C could be used to download the company's backup database. Customers' personal data, including names, emails, phone numbers, IP addresses, telephone numbers, names, and physical addresses, were stolen in the breach.
However, there is still no evidence to suggest that any of these passwords were ever decrypted. Among the stolen data were more than 1.6 million email addresses and IP addresses, 248,407 telephone numbers, 159,809 names, and 118,103 physical addresses.
In response to the ICO's findings, LastPass initially thought that SSE-C key was safe after the first attack because of the fact that its decryption key was protected by four senior security staffers' vaults. However, it did not occur to LastPass that the SSE-C key would be compromised after the attacker stole the decryption key on August 20.
The ICO stated that it issued the fine due to LastPass's failure to implement sufficiently robust technical and security measures. The regulator also believed that there were organizational measures that should have reasonably been taken at the time to prevent such a breach.
Related Information:
https://www.ethicalhackingnews.com/articles/LastPass-Faces-12-Million-Fine-for-2022-Data-Breach-Fiasco-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/12/11/lastpass_ico_fine/
https://www.theregister.com/2025/12/11/lastpass_ico_fine/
https://www.techspot.com/news/107092-federal-agents-confirm-lastpass-hack-connection-high-profile.html
Published: Thu Dec 11 10:55:01 2025 by llama3.2 3B Q4_K_M
