CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

UK ICO fines LastPass £1.2 million for 2022 data breach affecting 1.6 million users

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

The UK Information Commissioner's Office (ICO) fined LastPass £1.2 million for security failures that led to a 2022 breach impacting up to 1.6 million UK users. The breach involved two interconnected incidents starting in August 2022, where an attacker stole personal information and encrypted password vaults. The ICO found that LastPass failed to implement adequate security measures to prevent the breach. The attacker initially compromised a LastPass employee's laptop, gaining access to the company's development environment. The following day, the attacker targeted a senior employee by exploiting a vulnerability in a third-party streaming application, capturing the employee's master password and bypassing multi-factor authentication. This allowed the attacker to steal an Amazon Web Services access key and a decryption key, which were used to breach the cloud storage firm GoTo and steal LastPass database backups. The stolen data included encrypted password vaults, names, email addresses, phone numbers, and website URLs associated with customer accounts. The ICO emphasized that while LastPass' Zero Knowledge architecture prevented the decryption of customer password vaults, the company failed to meet its obligation to protect customer data. The ICO recommended the use of password managers by businesses and consumers as a way to improve identity and access management (IAM). Information commissioner, John Edwards, stated that businesses offering password management services should ensure that system access and use is restricted to reduce risks of attack. LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure, but the company fell short of this expectation.

Timeline

  1. 11.12.2025 19:09 2 articles · 1d ago

    UK ICO fines LastPass £1.2 million for 2022 data breach affecting 1.6 million users

    The UK Information Commissioner's Office (ICO) fined LastPass £1.2 million for security failures that led to a 2022 breach impacting up to 1.6 million UK users. The breach involved two interconnected incidents starting in August 2022, where an attacker stole personal information and encrypted password vaults. The ICO found that LastPass failed to implement adequate security measures to prevent the breach. The attacker initially compromised a LastPass employee's laptop, gaining access to the company's development environment. The following day, the attacker targeted a senior employee by exploiting a vulnerability in a third-party streaming application, capturing the employee's master password and bypassing multi-factor authentication. This allowed the attacker to steal an Amazon Web Services access key and a decryption key, which were used to breach the cloud storage firm GoTo and steal LastPass database backups. The stolen data included encrypted password vaults, names, email addresses, phone numbers, and website URLs associated with customer accounts. The ICO emphasized that while LastPass' Zero Knowledge architecture prevented the decryption of customer password vaults, the company failed to meet its obligation to protect customer data. The ICO recommended the use of password managers by businesses and consumers as a way to improve identity and access management (IAM). Information commissioner, John Edwards, stated that businesses offering password management services should ensure that system access and use is restricted to reduce risks of attack. LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure, but the company fell short of this expectation.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Sensitive Data Exposed via Publicly Accessible Code-Formatting Tools

Over 80,000 JSON snippets containing sensitive credentials, authentication keys, and configuration data from organizations in critical sectors were exposed through the Recent Links feature of JSONFormatter and CodeBeautify. The data, totaling over 5GB, included Active Directory credentials, database and cloud credentials, private keys, CI/CD secrets, payment gateway keys, API tokens, SSH session recordings, and personally identifiable information (PII). Researchers found that threat actors actively scanned and accessed this exposed data, with some organizations failing to remediate the issue. The exposed data impacted sectors such as government, banking, healthcare, and cybersecurity, with some credentials linked to major financial exchanges and managed security service providers (MSSPs). The Recent Links feature, which lacks access controls, allows anyone to scrape the data using predictable URLs. Researchers also set up a honeypot to confirm that threat actors were actively scanning for sensitive information, with access attempts recorded even after the links had expired. Both JSONFormatter and CodeBeautify have temporarily disabled the save functionality in response to the research, claiming they are working on enhanced NSFW content prevention measures.

Open in new tab

Credential Compromise Lifecycle and Enterprise Risks

Enterprise credentials are frequently compromised through phishing, brute force attacks, third-party breaches, and exposed API keys. Hackers aggregate and monetize these credentials, selling them on underground markets. Once purchased, these credentials are used for account takeovers, lateral movement, data theft, resource abuse, and ransomware deployment, causing significant financial and reputational damage to organizations. The credential compromise lifecycle involves users creating credentials, hackers compromising them, aggregating and monetizing them, distributing and weaponizing them, and finally exploiting them for various malicious activities. Common vectors include phishing campaigns, credential stuffing, third-party breaches, and leaked API keys. The criminal ecosystem consists of opportunistic fraudsters, automated botnets, criminal marketplaces, and organized crime groups, each with different motivations and methods. The real-world impact of credential compromise includes account takeover, lateral movement, data theft, resource abuse, and ransomware deployment, leading to regulatory fines, lawsuits, remediation costs, and long-term reputational damage.

Open in new tab

Phishing Campaign Targets LastPass Users with Fake Death Claims

A phishing campaign is targeting LastPass users with fake death claims to gain access to their password vaults. The campaign, attributed to the financially motivated threat group CryptoChameleon (UNC5356), began in mid-October 2025. The attackers use phishing emails and fake websites to trick users into revealing their master passwords and passkeys. The phishing emails claim that a family member has requested access to the user's LastPass vault by uploading a death certificate. The emails include an agent ID number and a link to a fraudulent page where users are prompted to enter their credentials. In some cases, the attackers also call victims, posing as LastPass staff, to direct them to the phishing site. The campaign is more extensive and enhanced compared to a previous one in April 2024, now also targeting passkeys.

Open in new tab

Axios and Direct Send Abuse in Microsoft 365 Phishing Campaigns

Threat actors are exploiting HTTP client tools like Axios and Microsoft's Direct Send feature to create highly efficient phishing campaigns targeting Microsoft 365 environments. These attacks, which began in July 2025, initially targeted executives and managers in finance, healthcare, and manufacturing sectors, but have since expanded to all users. The campaigns use compensation-themed lures to trick recipients into revealing credentials and bypassing multi-factor authentication (MFA). The abuse of Axios has surged, accounting for 24.44% of all flagged user agent activity from June to August 2025. The attacks leverage Axios to intercept, modify, and replay HTTP requests, capturing session tokens or MFA codes in real-time. This method allows attackers to bypass traditional security defenses and conduct phishing operations at an unprecedented scale. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA has been discovered, which steals Microsoft login credentials and sidesteps MFA by simulating various authentication methods. Salty 2FA uses advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its phishing campaigns. It also abuses legitimate platforms to stage initial attacks and uses Cloudflare Turnstile for secure CAPTCHA replacement. Salty2FA campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. The campaigns target industries including finance, healthcare, government, logistics, energy, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting. The Sneaky 2FA phishing kit has incorporated Browser-in-the-Browser (BitB) functionality to mimic browser address bars and pop-up login forms. This kit uses Cloudflare Turnstile checks to prevent security tools from accessing phishing pages and employs conditional loading techniques to ensure only intended targets can access them. The phishing domains are quickly rotated to minimize detection, and the kit uses obfuscation and disables browser developer tools to resist analysis. Sneaky2FA is a widely used PhaaS platform alongside Tycoon2FA and Mamba2FA, all targeting primarily Microsoft 365 accounts. The kit uses SVG-based attacks and attacker-in-the-middle (AitM) tactics, where the authentication process is proxied to the legitimate service through a phishing page that relays valid session tokens to the attackers. Sneaky2FA has added a BitB pop-up that mimics a legitimate Microsoft login window, adjusting dynamically to the victim’s OS and browser. An attacker stealing credentials and active session tokens can authenticate to the victim’s account, even when the two-factor authentication (2FA) protection is active.

Open in new tab

Supply Chain Attack on Drift via OAuth Token Theft

A supply chain attack targeted the Drift chatbot, a marketing software-as-a-service product, resulting in the mass theft of OAuth tokens from multiple companies. Salesloft, the parent company, took Drift offline on September 5, 2025, to review and enhance security. Affected companies include Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, and Zscaler. The threat actor, tracked as UNC6395 and GRUB1, exploited OAuth tokens to access Salesforce data. The attack underscores the risks associated with third-party integrations and the importance of robust security measures in enterprise defenses.

Open in new tab