Why so cheap? £1.2m is a drop in the bucket, add several noughts please.
LastPass hammered with £1.2M fine for 2022 breach fiasco
The UK's Information Commissioner's Office (ICO) says LastPass must cough up £1.2 million ($1.6 million) after its two-part 2022 data breach compromised information from up to 1.6 million UK users. Information Commissioner John Edwards said: "Password managers are a safe and effective tool for businesses and the public to …
-
-
Friday 12th December 2025 13:28 GMT Anonymous Coward
Long term liability
Instead of a single fine, companies should send regular payments to affected clients for 10 years.
This may become a reasonable source of personal income, since so many companies fail security; and will truly motivate companies to improve.
The payments could be paid once a quarter to properly reflect on quarterly reports. Designated managers of all payments could be set to simplify compliance and convenience - which could be Google Wallet, or Amazon shopping, if a user wants so.
-
-
Thursday 11th December 2025 18:18 GMT MiguelC
Re: Blasé approach to security
As I understand it, it wasn't necessarily the same PC. The problem was that LastPass "actively encouraged, senior staff to link their personal and business accounts, so both could be accessed using the same master password". Once having got to the personal account, the attacker was then able to access the linked business account were were kept all those yummy LastPass passwords
-
Friday 12th December 2025 10:19 GMT Just Enough
Re: Blasé approach to security
This is definitely the insane part. I can't fathom why either company or senior staff would think that linking personal accounts and work accounts was a sensible and desirable. What happens when the member of staff decides to move on? Why does the member of staff not have reservations about their employers being entwined with their personal life? What if the staff member's personal on-line life is NSFW, yet accessible through the company's systems? What if the company locks down the senior staff's account for some reason, and inadvertently locks them out of their personal accounts too?
-
Saturday 13th December 2025 21:08 GMT RSProutt
Re: Blasé approach to security
The Lastpass employee had installed Plex on his home PC/Server.
An Attacker used a known exploit to compromised the Employee Plex software, which allowed a keylogger to be installed.
When the employee connecting into work (VPN) the keylogger captured the credentials
Now the Attacker has the credentials, they can use those stolen credentials to get into Lastpass systems.
-
-
Thursday 11th December 2025 20:19 GMT MOH
Re: Blasé approach to security
I dont understand why you're being downvoted.
If corporate policy encouraged this, and encouraged one of four people with the required decryption keys to exploit the attack to use their personal device for work then nobody should ever use LastPass again.
There's a place for BYOD. This is not it.
-
-
Friday 12th December 2025 10:08 GMT DCdave
Re: Blasé approach to security
Also reading the article reveals that the PC of the person with access to the encryption key was compromised using a vulnerability in Plex Server, the presence of which suggests either BYOD or personal use on a work device. Once the PC was compromised the linking of personal and work accounts led to further compromise.
-
Friday 12th December 2025 15:06 GMT MOH
Re: Blasé approach to security
I suspect the reason both of missed that fact is because there's a load of links labelled "more context" which would tend to indicate the end of the article.
It's not at all obvious on mobile that half the article is below the links.
But that's even worse: a company in charge of password management effectively encourages employees to use the same password for personal stuff and highly confidential corporate systems.
LastPass should be toast after this
-
-
-
-
Thursday 11th December 2025 18:05 GMT Ascy
I've always thought people that use these web based password managers are nuts. Keep your passwords secure, except give them all to one company? I've been in the software dev industry long enough to know that the majority of fellow devs out there don't really understand the first thing about encryption, so unless their solution is open source AND you are going to inspect the source code yourself AND you trust that the code you've reviewed is the one that's actually running, why risk it?
You don't get the same level of team audit and granularity as you may get with some web based solutions, but just put your passwords in a KeePass vault and use encrypted cloud storage to sync the vault (eg Filen, Sync.com, iDrive, etc). Then there are two layers of defence and you don't have to fully trust either solution (though are obviously hoping that one of them works).
-
Friday 12th December 2025 10:10 GMT Charlie Clark
I understand your point but, even as a developer, I have a couple of issues: encryption isn't my forte so I don't trust my own ability to assess the security of any particular solution, even if I have access to the source – though I do agree that making it open source is a good start. But what are non-technical users supposed to do? If they're lucky, they'll have a friend to help them choose and manage whatever system they use. And I think that for many people KeePass, while a great solution isn't practical. It adds complexity but also an additional dependency and has a master "database" – I have situations where I need to be able to demonstrate that personal and private keys are separate. As it happens, for one customer I do have to use LastPass – not my choice – so I use a different FireFox profile for this. For my personal use, I've switched from BitWarden, which has some great features but more than I need at the moment, to HeyLogin, which has an admirable import function, making switching easier.
On the whole, I prefer it if people do at least use password managers and let them generate "secure" passwords.
-
Friday 12th December 2025 10:45 GMT Kurgan
There are lots of issues here, but surely the biggest one is that it's web based. The other is that it's closed, the next is that devs don't understand security. They never do. And a big repo full of credentials is a fucking big target, so it will be under constant attack from big criminal groups.
I'd never use a commercial, closed, web based password manager. NEVER.
I use KeepassXC with keyfile, password, and on an encrypted drive, on Linux. And I really hope that no one will sneak a backdoor into KeepassXC as has already happened in other open source software.
There will probably come a time when I'll drop password managers completely and use text files on an encrypted drive. Less risk of being targeted by supply chain attack if you don't use a password manager at all but use another encryption method.
-
-
-
Friday 12th December 2025 00:18 GMT Smeagolberg
"Information Commissioner John Edwards said: "Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use."
Yeah, right... put all your passwords (in some form) on a computer that someone else owns and controls and that has a giant target on its back labled "Hack me".
-
Biting the hand that feeds IT
