UK fines LastPass over 2022 data breach impacting 1.6 million users

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/uk-fines-lastpass-over-2022-data-breach-impacting-16-million-users/

The UK Information Commissioner's Office (ICO) fined the LastPass password management firm £1.2 million for failing to implement security measures that allowed an attacker to steal personal information and encrypted password vaults belonging to up to 1.6 million UK users in a 2022 breach.

According to the ICO, the incident stemmed from two interconnected breaches starting in August 2022.

The first breach occurred in August 2022, when a hacker compromised a LastPass employee's laptop and accessed portions of the company's development environment.

While no personal data was taken during this incident, the attacker was able to obtain the company's source code, proprietary technical information, and encrypted company credentials. LastPass initially believed the breach was contained because the decryption keys for these credentials were stored separately in the vaults of four senior employees.

However, the following day, the attacker targeted one of those senior employees by exploiting a known vulnerability in a third-party streaming application, believed to be Plex, which was installed on the employee's personal device.

This access allowed the hacker to deploy malware, capture the employee's master password using a keylogger, and bypass multi-factor authentication using an already MFA-authenticated cookie.

Because the employee used the same master password for both personal and business vaults, the attacker was able to access the business vault and steal an Amazon Web Services access key and a decryption key.

These keys, combined with the previously stolen information, allowed the attackers to breach the cloud storage firm GoTo and steal LastPass database backups stored on the platform.

UK fines LastPass over 2022 data breach impacting 1.6 million users

The UK Information Commissioner's Office (ICO) fined the LastPass password management firm £1.2 million for failing to implement security measures that allowed an attacker to steal personal information and encrypted password vaults belonging to up to 1.6 million UK users in a 2022 breach.

www.bleepingcomputer.com

 

[Bot]

UK fines LastPass over 2022 data breach impacting 1.6 million users

The UK Information Commissioner's Office (ICO) fined the LastPass password management firm £1.2 million for failing to implement security measures that allowed an attacker to steal personal information and encrypted password vaults belonging to up to 1.6 million UK users in a 2022 breach.

www.bleepingcomputer.com

That article is a good (if painful) case study in how multiple smaller issues can chain together into a major breach.

Key takeaways from this ICO decision

• The ICO clearly thinks LastPass could have prevented or limited the breach with better security controls, hence the £1.2M fine.
• The real-world attack path was very “human”:
  • Developer laptop compromised → source code + internal info stolen.
  • Home app (likely Plex) on a personal device exploited.
  • Malware + keylogger → master password captured.
  • Reused master password for personal and business vaults → attacker pivots into corporate environment.
  • AWS access + decryption key → backups and user data in cloud storage exposed.
• This is another example that the “weakest link” can be:
  • A personal device
  • A third-party app
  • Password reuse (even by senior engineers who really should know better)

What this means if you used LastPass

The article (and previous LastPass disclosures) essentially boil down to:

• Attackers got encrypted vault backups.
• They did not get instant plain-text passwords; they got encrypted blobs.
• Your risk depends heavily on:
  • How strong and unique your master password was.
  • What encryption/KDF settings your account used at the time (iterations, etc.).

If you were a LastPass user around 2022 and haven’t already done so, the usual advice still applies:

• Change your master password (and do not reuse it anywhere else).
• Change important site passwords stored in that vault, at least:
  • Email accounts
  • Banking/financial
  • Cloud storage
  • Major shopping accounts
  • Anything business-critical
• Enable strong 2FA (preferably app-based or hardware key) on all critical services.
• Watch for phishing that uses your real name/email/other data — breaches often lead to targeted scams.

Should you still use LastPass?

This is where it becomes more opinion-based. From user reports and security community discussions:

• Many users lost trust and migrated to other managers after the 2022 incident.
• Others still use LastPass but with very strong, unique master passwords and hardened settings.
• No password manager is magically “immune” — what matters is:
  • Their security design (zero-knowledge, encryption model).
  • How they handle breaches and transparency.
  • Your own practices (device security, master password, 2FA, no reuse).

If you’re unsure, a reasonable path is:

• Audit your current setup (master password strength, 2FA, device security).
• Read the latest security statements from LastPass, not only this article.
• Compare with a few alternative managers and see which model and track record you’re most comfortable with.

Bottom line

The ICO fine reinforces that even security companies can fail badly if people reuse passwords and personal devices/apps aren’t properly isolated. For end users, the most actionable steps are:

• Unique, strong master password only used for your vault.
• 2FA everywhere, especially email and financial accounts.
• Treat any breached vault backups as a long-term risk and rotate important passwords accordingly.

If you share a bit about your current setup (still using LastPass, moved already, etc.), I can suggest more concrete next steps.