AI Autopsy: Why the ICO fined LastPass £1.2m

Password management providers have a large target on their backs. Danny Bradbury investigates what LastPass could have done better

Old data breaches never die. Especially when regulators shine a light on them. Last month, the UK’s Information Commissioner’s Office (ICO) put a 2022 incident at password management company LastPass back in the news cycle, after fining it £1.2m for GDPR infringements.

In October that year, thieves accessed a database of LastPass users’ billing, email and IP addresses, usernames, mobile numbers, and unique mobile device identifiers. They also obtained the company names, employer identification numbers, and tax identification numbers of LastPass Business and Teams users.

The ICO conducted a thorough investigation into the breach, which resulted from a campaign lasting at least two months. What can we learn from its analysis?

What the ICO found

The breach occurred in two phases. First came the compromise of a software engineer’s corporate laptop in August 2022, from which the threat actor pilfered 14 of 200 source code repositories, possibly containing clear-text credentials (LastPass was unable to determine how that happened).

“Concentration of access creates a small, high-value target set” Gareth Downs

This gave the attacker access to an SSE-C key, which they could theoretically use to access LastPass customer backups, including encrypted vaults. The backups were stored on an AWS S3 bucket. Critically, though, there were two other layers of protection. The SSE-C key was encrypted, so the attacker would need another key to decrypt it. They would also need a second AWS access key to unlock the system.

The key needed to decrypt the SSE-C key was stored inside four LastPass staffers’ Employee Business account vaults. Hiding away that key among a small number of users might have seemed safe. But according to Gareth Downs, senior lead data privacy consultant at Bridewell, it carried a risk of its own. “This concentration of access creates a small, high-value target set,” he tells Assured Intelligence.

This is where phase two came in. Attackers targeted one of these people (a senior development operations engineer) via their personal home computer. They got in via a known high-risk vulnerability in Plex, a video streaming system that the employee had been using for personal purposes. That compromise enabled the intruder to install a keylogger on the engineer’s computer.

Mixing business with pleasure

Although LastPass subsequently changed its policy, at the time of the incident, it allowed employees to link their LastPass business and personal accounts, meaning that both could be accessed with the same master password.

“The LastPass incident shows that logical separation without trust separation is a security flaw” Wolfgang Goerlich

This was a key gap in the firm’s security posture, says Wolfgang Goerlich, an IANS faculty member and the Oakland County CISO. “The LastPass incident shows that logical separation without trust separation is a security flaw,” he tells Assured Intelligence. “We must separate personal, daily professional, and privileged activities. That separation begins with credential stores and extends into accounts, profiles and computing hardware.”

LastPass’s failure to mandate this at the time enabled the attacker to access the decryption key in the engineer’s Employee Business Vault, thereby decrypting the SSE-C key. It also got them the AWS access key. With those assets in hand, the attacker could access the AWS backups.

“It also meant that when the threat actor exported the contents of the senior development operations engineer’s vault, LastPass’s rotation of credentials was rendered futile,” says Bridewell’s Downs. “That’s because the attacker already had persistent access to the vault where new credentials would be stored.”

The ICO’s penalty notice specifically cites the failure to mandate the separation of personal and business accounts, particularly for senior executives who were high-profile targets.

Imperfect encryption

The threat actor was able to exfiltrate 1.6 million UK LastPass users’ password vaults. But they didn’t get immediate access to the master passwords that would unlock those vaults. That’s because they were protected by end-to-end encryption (E2EE), meaning LastPass never had access to the plaintext passwords.

However, its encryption setup wasn’t perfect either. The company’s default for client-side (E2EE) encryption protecting the compromised vaults was 100,100 iterations using the PBKDF2 algorithm. Security body OWASP recommends 600,000 – a figure that LastPass has now adopted. Experts have suggested that tens of millions of dollars’ worth of cryptocurrency thefts since 2022 have been enabled by brute-force attacks on these master passwords.

Neither did the company store all data using E2EE. The ICO noted the theft of over 248,000 phone numbers, 160,000 names, 118,000 postal addresses, and a whopping 1.6 million email addresses, along with stored URLs. All of these relied solely on the SSE-C key and the AWS access key for security.

Detection failures

One thing that surprised Downs is how disjointed the company’s incident response seems to have been. “Incident 1 (the development environment compromise) and Incident 2 (the vault compromise via personal device) were initially treated as unrelated,” he points out. “The connection – that the attacker was systematically working to obtain the credentials needed to access backup infrastructure – wasn’t identified until much later.”

“BYOD decisions for privileged users should be treated as explicit risk decisions, rather than default productivity choices” Ameet Jugnauth

Ilia Kolochenko, data protection lawyer and founder of ImmuniWeb, also raises an eyebrow. “They should have had some foundational security controls – namely, incident response – in their cloud environment,” he tells Assured Intelligence. “I believe that in 2022 it was perfectly doable, and AWS had native tools on its platform.”

LastPass did get alerts from AWS in October that something was afoot. It followed procedure and contacted a cloud infrastructure email distribution list. However, only one person on the list (an engineer) was from LastPass. The remainder were GoTo employees, and miscommunication between the two parties resulted in an 18-day delay in the subsequent investigation.

What to do next

CISOs can take away a few key lessons from LastPass’s failings, beyond the need for integrated incident response and proper separation of accounts. One of them might be not to rely purely on tick-box security.

“Typically, third-party risk assessments would consider things like encryption standards, certifications, and penetration testing cadence, but LastPass met all of these requirements,” says Bridewell’s Downs. “And yet 1.6 million UK users’ personal data was still exfiltrated.”

The ICO notes that LastPass held ISO 27001:2022 accreditation at the time of the breach, which includes guidance on securing endpoints. Yet, despite the company’s focus on securing corporate laptops, the blurred lines between business and personal use are what let it down, the regulator said.

More robust assessments might be in order, along with some out-of-the-box red-team thinking. Enhanced criteria around key derivation function strength, strict personal device policies for privileged staff, and even more stringent backup access controls are good places to start. Downs criticises LastPass for insufficiently monitoring backup access.

Reassessing BYOD

Ameet Jugnauth, president of ISACA’s London Chapter, says that the case focuses the lens on bring-your-own-device (BYOD) policy.

“From a governance perspective, BYOD decisions for privileged users should be treated as explicit risk decisions, rather than default productivity choices,” he tells Assured Intelligence.

“BYOD decisions for privileged users should be treated as explicit risk decisions, rather than default productivity choices” Ameet Jugnauth

Companies seeking to allow BYOD should impose conditional access, strong authentication controls, device compliance and posture requirements, and enhanced monitoring of identity-based activity, he adds.

“Where these controls cannot be applied with sufficient confidence, organisations should reconsider whether BYOD is appropriate for privileged roles,” Jugnauth warns.

For its part, LastPass has since given all employees corporate devices and mobile phones and implemented MFA authentication keys for each and every one. It also now forbids any business activities on personal devices, and vice versa, as part of a new acceptable use policy.

“This is more restrictive than necessary for most staff but reflects the reality that loss of convenience is often worth the risk reduction,” says Bridewell’s Downs.

LastPass has taken post-breach precautions, but the stable door was open and the horse a dot on the horizon when it did so. Smart CISOs will put these measures in place before disaster strikes.