The UK Information Commissioner’s Office (ICO) has fined LastPass £1.2 million after investigators found the company failed to use proper security measures, allowing attackers to steal personal information and encrypted password vaults belonging to up to 1.6 million UK users.
The breach traces back to two related security incidents in August 2022. In the first attack, a hacker broke into a LastPass employee’s laptop and accessed parts of the company’s development environment. No customer data was taken at that stage, but the attacker managed to steal source code, technical information, and encrypted company credentials.
LastPass initially believed the damage was limited because the decryption keys for those credentials were stored in the vaults of four senior employees. But the following day, the attacker directly targeted one of those employees by exploiting a known flaw in a third-party streaming app—widely believed to be Plex—installed on the employee’s personal device.
With that access, the hacker deployed malware and captured the employee’s master password using a keylogger. They also bypassed multi-factor authentication by using an already authenticated cookie. Because the employee reused the same master password for both personal and business accounts, the attacker was able to unlock the business vault and steal an AWS access key and a decryption key.
Using those stolen keys and earlier data, the attacker accessed backups stored with GoTo, LastPass’ cloud provider, and downloaded customer database backups.
The stolen data included encrypted password vaults, email addresses, names, phone numbers, billing addresses, IP addresses, and website URLs linked to customer accounts. While the vaults were encrypted, LastPass warned that users with weak master passwords could still be at risk because determined attackers could attempt offline brute-force cracking.
Security researchers later suggested that some weak vaults were successfully cracked and then used in cryptocurrency theft.
The ICO criticized LastPass for not protecting customers’ information despite offering a product designed specifically for security. The regulator said users had a reasonable expectation that their data would be safe and that the company failed to meet this responsibility.
The agency urged organizations to strengthen device security, review remote-work risks, and ensure strict access controls. Customers were also reminded to use strong master passwords—preferably at least 16 characters or a long multi-word passphrase—to better protect encrypted vaults.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
LastPass responded by saying it has cooperated with the ICO since 2022 and has implemented new security improvements. The company said it remains focused on delivering reliable service to millions of customers worldwide.
