LastPass fined $1.6 million over insufficient security measures.
SOPA Images/LightRocket via Getty Images
Updated December 14 with details of how to check if any of your passwords have been compromised following news of 630 million stolen credentials released by the FBI, alongside the original reporting regarding the LastPass data breach investigation and fine.
Any data breach affecting 1.6 million people is big news, especially when it involves one of the most prominent password managers out there: LastPass. The U.K. Information Commissioner’s Office has just fined LastPass £1.2 million ($1.6 million) for failing to “implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database.” Here’s what you need to know.
ForbesMicrosoft Worm Attack Warning — Act Rapidly And Change Passwords NowBy Davey WinderBreach Investigation Reports LastPass Failed Customers, Leaving Them Vulnerable
LastPass is one of the best-known password managers, with a consumer user base of over 20 million and 100,000 businesses relying on its services. Perhaps unsurprisingly, then, it is also a prime target for cybercriminals — from a company network intrusion confirmed by LastPass in 2015 through to the latest warnings for users against opportunistic “are you dead” master password hack attacks on users.
In 2022, LastPass CEO Karim Toubba announced that an unauthorized party had gained access to “certain elements of our customers’ information,” which sent shivers up the spines of cybersecurity experts and users alike. That 2022 data breach, concerning a third-party cloud storage service, has now come back to bite the business. The U.K. Information Commissioner’s Office, an independent regulatory body that upholds data privacy protections, confirmed it fined LastPass a total of £1.2 million ($1.6 million) for the breach that impacted 1.6 million U.K. users alone.
LastPass “which promises to help people improve their security,” the ICO said, “has failed them, leaving them vulnerable.”
Although there remains no evidence that the hackers were able to decrypt customer passwords, the ICO concluded that “LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database.” Despite these failings, LastPass passwords were not affected, and using a password manager remains a recommended security measure for most users.
ForbesGoogle Confirms Critical No Password Required Attack — Act NowBy Davey WinderWhy You Still Need LastPass And Other Password Management Apps
Although the knee-jerk reaction to hearing that any password manager service has fallen victim to a significant security incident, no matter how that occurred or the data involved, is to immediately think that putting all your password eggs into a single application basket is a bad idea, users need to stop and think before taking any rash acts that could, in reality, leave them and their accounts less secure as a result. Sure, it’s devastating to learn that the password manager you have entrusted your secrets to has been left wanting when it comes to its own security, but the fact of the matter here is that no LastPass passwords were exposed, nor could they have been by this attack on the third-party supplier concerned. Not managing your passwords is a much riskier option, and one that will almost always lead to less secure password construction and use, including password reuse across sites and ease of recollection taking precedence over randomness, complexity, and strength.
If you want solid evidence of why this is the case, then look no further than the news that the FBI has just released a database of 630 million stolen passwords that were discovered on devices belonging to a single hacker. The compromised passwords were sourced by the cybercriminal, whose devices were seized during the course of an investigation, from a variety of places that included dark web marketplaces, Telegram channels and infostealer logs.
Password reuse, alongside weak password construction, will never be a good alternative to a password manager.
ForbesFBI Confirms 630 Million Stolen Passwords — How To Check Yours NowBy Davey WinderLastPass Fine A Watershed Momenty For Cybersecurity
“The ICO’s fine against LastPass is a watershed moment for the cybersecurity industry,” Dan Panesar, chief revenue officer at Certes, said, “because it confirms what many breaches have already shown: the failure point is no longer passwords, it’s what attackers can access once identity is compromised.”
“The bottom line is that security isn’t just tech,” Chris Linnell, associate director of data privacy at Bridewell, said, “it’s governance, staff awareness, and managing supplier risk.” The LastPass case is yet another example of why businesses need to look at the whole picture, “not just the product that’s being sold.”
“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure,” John Edwards, the U.K. Information Commissioner, said, concluding, “However, the company fell short of this expectation, resulting in the proportionate fine being announced today.”
I approached LastPass for a statement and a spokesperson told me, “We have been cooperating with the UK ICO since we first reported this incident to them back in 2022. While we are disappointed with the outcome, we are pleased to see that the ICO’s decision has recognized many of the efforts we have already taken to further strengthen our platform and enhance our data security measures. Our focus remains on delivering the best possible service to the 100,000 businesses and millions of individual consumers who continue to rely on LastPass.”
ForbesCritical Password Warning As Dangerous ‘Wrench Attacks’ ContinueBy Davey Winder