Full Report
UK data regulator says failures were unacceptable for a company managing the world's passwords The UK's Information Commissioner's Office (ICO) says LastPass must cough up £1.2 million ($1.6 million) after its two-part 2022 data breach compromised information from up to 1.6 million UK users.…
Analysis Summary
# Incident Report: LastPass Two-Part 2022 Data Breach
## Executive Summary
LastPass experienced a two-part data breach in August 2022, leading to the exfiltration of source code and, subsequently, customer backup data. The incidents were facilitated by compromising an employee's MacBook (leading to source code theft) and a DevOps engineer's personal PC (leading to the compromise of the SSE-C decryption key). The UK ICO fined LastPass £1.2 million for unacceptable security failures, particularly regarding internal controls and policies allowing staff to link personal and business accounts.
## Incident Details
- **Discovery Date:** Initial suspicious activity relating to the first incident was detected approximately on August 12, 2022 (via AWS alerts), but major data exfiltration was confirmed later. Significant alert notifications were not actioned until November 2, 2022.
- **Incident Date:** Two main stages occurred on or around August 11/12, 2022 (First incident) and August 12, 2022 (Second, more impactful incident).
- **Affected Organization:** LastPass
- **Sector:** Software/Password Management
- **Geography:** Global (Incident involved UK users and US-based staff)
## Timeline of Events
### Initial Access (Incident 1: Source Code Theft)
- **Date/Time:** Approximately August 11, 2022 (Implied prior to Aug 12)
- **Vector:** Compromised work-issued MacBook Pro belonging to a company software developer.
- **Details:** Attacker gained access to the corporate development environment and technical documentation. Anti-forensics techniques were used, obscuring the initial compromise method coinciding with a macOS upgrade.
### Lateral Movement (Incident 1 & 2)
- **Date/Time (Incident 1):** During the first incident, the attacker moved from the MacBook to access and exfiltrate source code repositories.
- **Date/Time (Incident 2):** August 12, 2022. Attacker used an exploit (CVE-2020-5741) on a US-based senior DevOps engineer's personal desktop PC, installed a keylogger, and stole the engineer's master password. This master password was used to bypass their personal vault and gain access to corporate secrets.
- **Details:** The attacker leveraged the stolen master password to access sensitive corporate data, including the SSE-C key used to secure AWS S3 backup buckets. The company rotated credentials following this first incident on August 18, 2022.
### Data Exfiltration/Impact
- **Date/Time (Incident 2 Continued):** Post-August 12, 2022 (Implied access occurred after gaining the decryption key).
- **Details:** Using the compromised AWS access key and the SSE-C decryption key (stolen from the DevOps engineer's compromised system), the attacker downloaded the company's backup database.
- **Impact:** Stolen data included names, emails, phone numbers, stored website URLs, IP addresses, and physical addresses for over 1.6 million UK users. The SSE-C key was acquired, but there is no evidence the encrypted customer data was decrypted.
### Detection & Response
- **Detection:** AWS detected unusual activity (attempts to manipulate access management commands via the developer's account in Incident 1) and sent GuardDuty alerts between October 15 and 22, 2022.
- **Response Actions:**
- Security alerts from October were not actioned until November 2, 2022, due to failures in the transition from GoTo (former parent company), resulting in delayed notification (18-day lag).
- Credentials were rotated following the first incident on August 18, 2022.
- ICO imposed a £1.2 million fine due to unacceptable failures in security implementation.
## Attack Methodology
- **Initial Access (Incident 1):** Compromise of a software developer's work-issued MacBook Pro.
- **Initial Access (Incident 2):** Exploitation of CVE-2020-5741 on a personal desktop PC.
- **Persistence:** Installation of a keylogger on the DevOps engineer's PC.
- **Privilege Escalation:** N/A (Focus was on exploiting existing trust relationships, not privilege escalation within a system beyond what the victim already possessed).
- **Defense Evasion:** Use of anti-forensics techniques during the first incident.
- **Credential Access:** Keylogger used to steal the DevOps engineer's master password; access to unencrypted internal credentials/keys within stolen source code.
- **Discovery:** Access to technical documentation provided reconnaissance data.
- **Lateral Movement:** Pivoting from the personal account/device to the corporate network via stolen master password/credentials (linking personal and business accounts was key).
- **Collection:** Exfiltration of 14 source code repositories; download of the entire customer backup database.
- **Exfiltration:** Data transfer occurring after acquisition of the AWS access key and SSE-C decryption key.
- **Impact:** Theft of sensitive personal data belonging to over 1.6 million UK users.
## Impact Assessment
- **Financial:** £1.2 million fine levied by the ICO.
- **Data Breach:** Compromise of user data including names, emails, phone numbers, stored URLs, IP addresses, and physical addresses for 1.6M+ UK users. Encrypted customer data was potentially accessible via the acquired SSE-C key, though not confirmed decrypted.
- **Operational:** Significant internal confusion regarding organizational responsibilities (LastPass vs. GoTo) delayed detection and response significantly.
- **Reputational:** ICO stated failures were "unacceptable" for a password manager, causing distress to customers.
## Indicators of Compromise
- **Network Indicators (Defanged):** Outdated cloud infrastructure email distribution list for AWS alerts (pointing to former parent company GoTo).
- **File Indicators:** Keylogger installed on the DevOps engineer's personal PC.
- **Behavioral Indicators:** Attempts to manipulate access management commands via the developer's account, triggering AWS GuardDuty alerts (October 2022).
## Response Actions
- **Containment:** Credentials were rotated on August 18, 2022, after the first incident. (Implied containment after the second incident involved limiting access derived from the compromised DevOps engineer account).
- **Eradication:** Not explicitly detailed, but likely involved removing malware/keyloggers and ensuring access keys were invalidated.
- **Recovery Actions:** The ICO fine noted failures in implementing robust technical and organizational measures, implying remediation of these systemic issues was required.
## Lessons Learned
- **Permissive Policies are Dangerous:** Allowing senior staff to link personal and business accounts/vaults using the same master password created a critical single point of failure. Separate master passwords would have provided an added layer of security.
- **Detection Failure:** Outdated internal distribution lists (due to organizational transition) caused critical AWS security alerts to go unread for nearly three weeks (October 15/22 to November 2).
- **Inadequate Security Posture:** The firm failed to implement sufficiently robust technical and security measures commensurate with the service they provide (managing the world's passwords).
## Recommendations
- Immediately mandate separation between personal and corporate credentials, especially master passwords for sensitive services.
- Conduct immediate audits of all system access lists (e.g., Cloud provider notifications) to ensure distribution lists are current and only contain active personnel responsible for immediate action.
- Implement higher standards of technical controls, especially for high-privilege personnel, given the sensitive nature of user data managed by a password provider.