The UK’s Information Commissioner’s Office (ICO) has fined LastPass UK Ltd £1.2 million for failing to implement adequate security measures, leading to a major data breach in 2022 that exposed the personal information of up to 1.6 million UK customers.
Although the passwords stored in LastPass vaults were not compromised thanks to the company’s zero-knowledge encryption design, attackers were able to access sensitive metadata, including names, email addresses, phone numbers, and URLs of stored sites.
The ICO’s investigation concluded that the breach stemmed from two interconnected security incidents. The first occurred in August 2022, when a hacker exploited a vulnerability to access a corporate laptop of a LastPass developer in Europe. This initial foothold allowed the attacker to extract encrypted credentials related to the company’s development environment.
Despite mitigation efforts by LastPass, the attacker escalated their access by compromising the personal device of a senior employee in the US, who had access to decryption keys stored in their vault. A known vulnerability in a third-party streaming application was used to plant a keylogger on the victim’s device, bypassing multi-factor authentication via a previously trusted cookie and capturing the master password that linked both personal and business vaults.
This elevated access enabled the attacker to retrieve the Amazon Web Services (AWS) credentials and encryption keys needed to access LastPass’ backup storage. As a result, the attacker exfiltrated large volumes of customer information, though encrypted password vaults themselves remained protected.
LastPass is one of the most widely used password managers in the world, reportedly serving over 30 million individual users and more than 85,000 business clients. The service is known for its use of zero-knowledge encryption, meaning that even LastPass employees cannot access user vault contents, and master passwords are never stored on company servers.
However, the ICO’s ruling points to a significant failure in protecting access to the systems housing encrypted data. “Password managers are valuable tools, but they require the highest level of internal security,” said UK Information Commissioner John Edwards, adding that firms handling such data must “urgently review their systems and procedures.”
In early 2023, the company faced a US-based class action lawsuit alleging negligence in handling the breach and accusing the firm of misleading users about the scope of the incident. The plaintiff in that case reported the theft of private cryptocurrency keys stored in a compromised vault, claiming damages exceeding $50,000. The lawsuit further criticized LastPass for failing to immediately disclose the extent of the breach, delaying crucial information until December 2022.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
