The UK Information Commissioner's Office (ICO) fined the LastPass password management firm £1.2 million for failing to implement security measures that allowed an attacker to steal personal information and encrypted password vaults belonging to up to 1.6 million UK users in a 2022 breach.
According to the ICO, the incident stemmed from two interconnected breaches starting in August 2022.
The first breach occurred in August 2022, when a hacker compromised a LastPass employee's laptop and accessed portions of the company's development environment.
While no personal data was taken during this incident, the attacker was able to obtain the company's source code, proprietary technical information, and encrypted company credentials. LastPass initially believed the breach was contained because the decryption keys for these credentials were stored separately in the vaults of four senior employees.
However, the following day, the attacker targeted one of those senior employees by exploiting a known vulnerability in a third-party streaming application, believed to be Plex, which was installed on the employee's personal device.
This access allowed the hacker to deploy malware, capture the employee's master password using a keylogger, and bypass multi-factor authentication using an already MFA-authenticated cookie.
Because the employee used the same master password for both personal and business vaults, the attacker was able to access the business vault and steal an Amazon Web Services access key and a decryption key.
These keys, combined with the previously stolen information, allowed the attackers to breach the cloud storage firm GoTo and steal LastPass database backups stored on the platform.
Customer data stolen in breach
Personal information stored in the stolen database included encrypted password vaults, names, email addresses, phone numbers, and website URLs associated with customer accounts.
... continue reading