Published 6 days ago • loading... • Updated 1 day ago

LastPass Data Breach — Insufficient Security Exposed 1.6 Million Users

The U.K. Information Commissioner's Office has fined LastPass £1.2 million for a 2022 breach affecting up to 1.6 million UK users after it failed to implement sufficiently robust security measures.
In August 2022, two interconnected breaches began that led to the incident, starting with a company software developer's work-issued MacBook Pro exposing 14 out of around 200 source code repositories.
Attackers exploited a Plex vulnerability on a senior DevOps engineer's personal PC, installed a keylogger, and stole AWS and decryption keys, as Karim Toubba explained, `The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service`.
John Edwards, the U.K. Information Commissioner, said LastPass fell short in protecting personal data, prompting the fine, while a LastPass spokesperson said it is cooperating and improving security.
With a consumer base of over 20 million and 100,000 businesses relying on it, researchers linking six-figure cryptocurrency heists to the breach prompt UK businesses and organisations urged to review device security, remote work risks and access restrictions.

Insights by Ground AI

Podcasts & Opinions

Podcast Mention

CyberWire Daily

Daily Cybersecurity and Tech News podcast featuring Dave Bittner, Rick Howard and David Moulton

One rule to rule them all.

CyberWire Daily discusses LastPass' £1.2M fine after its 2022 breach exposed data of 1.6M UK users.

5 days ago

Listen to Full Episode Full Episode Unlock Timestamp

Get Vantage — Podcasts, Ratings, Timestamps

Podcasts & Opinions

11 Articles

Forbes

Center

LastPass Data Breach — Insufficient Security Exposed 1.6 Million Users

People trust password managers, and when that trust isn’t upheld, it can prove costly — as LastPass has just discovered.

5 days ago·United States

Read Full Article

The Register

Center

LastPass hammered with £1.2M fine for 2022 breach fiasco

: UK data regulator says failures were unacceptable for a company managing the world's passwords

6 days ago

Read Full Article

Tech Radar

Center

ICO levies £1.2 million fine against LastPass — data breach compromised info on 1.6 million users

After a data breach in 2022, the Information Commissioners Office has finally reached a decision on a £1.2 million fine.

6 days ago·United Kingdom

Read Full Article

BleepingComputer

Center

UK fines LastPass over 2022 data breach impacting 1.6 million users

The UK Information Commissioner's Office (ICO) fined the LastPass password management firm £1.2 million for failing to implement security measures that allowed an attacker to steal personal information and encrypted password vaults belonging to up to 1.6 million UK users in a 2022 breach.

6 days ago

Read Full Article

decisionmarketing.co.uk

Password security firm hit for password security failings - DecisionMarketing

A company which pledged to help people improve their online security has been battered by the Information Commissioner’s Office after enabling a hacker to steal personal information relating to 1.6 million UK customers. The regulator found that password manager provider LastPass UK failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. There i…

1 day ago

Read Full Article