Today's cybersecurity headlines are brought to you by ThreatPerspective

The Dark Side of Password Managers: LastPass Fined £1.2 Million for 2022 Data Breach

LastPass has been fined £1.2 million by the UK Information Commissioner's Office (ICO) in relation to a 2022 data breach that impacted over 1.6 million users. The company was criticized for its handling of user data and failure to implement adequate security measures.

The United Kingdom's Information Commissioner's Office (ICO) has announced a significant fine of £1.2 million against the password management firm, LastPass, in relation to a major data breach that impacted over 1.6 million UK users in 2022.

This is not the first time that LastPass has faced scrutiny for its handling of user data. In fact, it marks the latest incident in a string of high-profile breaches involving the company's services.

The breach, which occurred in August 2022, began when an attacker gained access to a LastPass employee's laptop and accessed portions of the company's development environment. This initial breach allowed the attacker to obtain sensitive information, including proprietary technical details and encrypted company credentials.

However, it was not until the following day that the attack became truly devastating. The attacker targeted one of the senior employees who had previously been granted access to a master password for their personal device. This access allowed the hacker to deploy malware, capture the employee's master password using a keylogger, and bypass multi-factor authentication using an already MFA-authenticated cookie.

As a result, the attacker was able to access the business vault and steal an Amazon Web Services access key and a decryption key. These keys, combined with the previously stolen information, allowed the attackers to breach the cloud storage firm GoTo and steal LastPass database backups stored on the platform.

The ICO claimed that the threat actor copied information from backup that contained basic customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

Interestingly, the ICO noted that the attackers did not decrypt customer password vaults, as LastPass' "Zero Knowledge architecture" does not know or store the master passwords used to decrypt vaults, and they are known only to customers.

However, the ICO emphasized that this does not excuse the company's failure to implement adequate security measures. According to the regulator, companies offering password management services like LastPass must ensure access controls and internal systems are hardened against targeted attacks.

"Depending on the length and complexity of your master password and iteration count setting, you may want to reset your master password," reads a LastPass support bulletin about the cyberattack. This warning highlights the vulnerability that existed in the company's security measures.

Some researchers have even claimed that weak master passwords were used to decrypt LastPass vaults, leading to cryptocurrency theft attacks. The ICO has called on organizations to review their device security, remote work risks, and access restrictions.

The ICO also emphasized the importance of using strong, complex passwords, which should be at least 12 characters and include upper- and lowercase letters, numbers, symbols, and special characters.

Finally, the regulator has cautioned that in attacks like these, where increased computational power and offline cracking can occur, it is safer to use a master password of at least 16 characters or a long multi-word passphrase to secure highly sensitive information, such as password vaults.

The fine imposed by the ICO marks a significant penalty for LastPass, which demonstrates the regulator's commitment to protecting consumer data. The incident serves as a stark reminder of the importance of robust security measures and responsible password management practices.