The UK Information Commissioner's Office (ICO) has fined LastPass £1.2 million due to a security breach that affected 1.6 million UK users. The breach, which started in August 2022, involved two linked incidents. Initially, a hacker accessed a LastPass employee's laptop and obtained source code and proprietary information. Although personal data wasn't stolen at that point, it set the stage for a more serious breach the following day. The attacker targeted a senior employee by exploiting a vulnerability in a third-party application, believed to be Plex. This allowed the hacker to deploy malware, capture the employee's master password, and bypass multi-factor authentication. Using the stolen Amazon Web Services access key and decryption key, the hacker accessed LastPass's cloud storage, stealing sensitive customer data, including names, email addresses, phone numbers, and encrypted password vaults. Although the ICO confirmed that the attacker didn’t decrypt the password vaults, they warned that the strength of a user's master password is critical, as weaker passwords are susceptible to brute-force attacks. LastPass CEO Karim Toubba explained that while their "Zero Knowledge architecture" protects customer passwords, the security of encrypted vaults hinges on the complexity of the master passwords. The ICO's statement emphasized the obligation of companies like LastPass to protect their users’ data. They advise both organizations and users to strengthen security measures, including using long and complex passwords—ideally at least 16 characters long—to better secure sensitive information.