Talk:2022 LastPass data breach/GA1

GA review

Latest comment: 4 months ago34 comments2 people in discussion

Article (edit | visual edit | history) · Article talk (edit | history) · Watch

Nominator: Joereddington (talk · contribs) 12:42, 26 December 2025 (UTC)Reply

Reviewer: JustARandomSquid (talk · contribs) 10:12, 4 February 2026 (UTC)Reply

Hello! Let's get this reviewed. JustARandomSquid (talk) 10:12, 4 February 2026 (UTC)Reply

GA review (see here for what the criteria are, and here for what they are not)

It is reasonably well written.
a (prose, spelling, and grammar): b (MoS for lead, layout, word choice, fiction, and lists):
It is factually accurate and verifiable, as shown by a source spot-check.
a (reference section): b (inline citations to reliable sources): c (OR): d (copyvio and plagiarism):
It is broad in its coverage.
a (major aspects): b (focused):
It follows the neutral point of view policy.
Fair representation without bias:
It is stable.
No edit wars, etc.:
It is illustrated by images and other media, where possible and appropriate.
a (images are tagged and non-free content have non-free use rationales): b (appropriate use with suitable captions):
Overall:
Pass/Fail:

I've gone through the prose, and it looks ok to me. I've fixed the minor issues myself, as it'll probably be faster than telling you what I want fixed. One thing though — the dates are inconsistently formatted (September 10, 10 September, 10th September...). That should be fixed. I'll let you decide what format you prefer. JustARandomSquid (talk) 10:21, 4 February 2026 (UTC)Reply

There are no images, so I guess this passes the image check, but have you considered adding at least the logo of LastPass? Maybe wrap it in a {{Infobox event}}? JustARandomSquid (talk) 10:59, 4 February 2026 (UTC)Reply
I go back and forth on it really. On the one hand: pictures! but on the other - they feel crowbarred into this sort of article you know? If it's a blocking thing for the GA, I'm happy to go and find one but.... Joe (talk) 13:49, 4 February 2026 (UTC)Reply
Just a recommendation. I tried to find what other similar articles do, and the closest I found was February 2010 Australian cyberattacks which does have an image and stuff, but, you know, adding an infobox is the easy part of writing an article. JustARandomSquid (talk) 14:04, 4 February 2026 (UTC)Reply
What I've done in things like Yahoo!_data_breaches and 2015_TalkTalk_data_breach is have a picture of the person who was in charge at the time - but that was largely because both people were quite notable in their own right... Joe (talk) 14:25, 4 February 2026 (UTC)Reply

This table checks 10 passages from throughout the article (29.4% of 34 total passages). These passages contain 10 inline citations (26.3% of 38 in the article). Generated with the Veracity user script. JustARandomSquid (talk) 11:44, 4 February 2026 (UTC)Reply

Spot check table

Reference #	Letter	Source	Notes
Background
The SSE-C key was always encrypted when not in use, and only four people at LastPass were able to decrypt the key itself.
1	a	ico.org.uk	It does support it in principle, but it doesn't say always encrypted and only four people, that's a bit interpretative. JustARandomSquid (talk) 21:36, 6 February 2026 (UTC)Reply So this is odd... I was mortified that the spot check threw anything up because I spent a decent amount of time making sure the page numbers are all fine, but it's possible we aren't looking at the same page numbers here. The two paragraphs of the report I'm citing here (labelled 15 as per the reference but 16 in terms of the pdf viewer) is this one: and I feel like it is covering both those statements. Can I (literally) check we are on the same page? Joe (talk) 11:00, 9 February 2026 (UTC)Reply Honestly, that was three days ago, I've wholeheartedly forgotten what I was looking at. That screenshot's good enough for me. JustARandomSquid (talk) 15:04, 9 February 2026 (UTC)Reply
Attack timeline
along with technical documentation and an encrypted version of the SSE-C key
2	b	support.lastpass.com	I don't actually see this here, but it is in the ICO report, and notwithstanding that it isn't entirely clear which reference supports what, it is all supported. JustARandomSquid (talk) 21:36, 6 February 2026 (UTC)Reply So the quotes in question are "in turn, accessed technical documentation" and "and some encrypted credentials used for production capabilities such as backup.", I guess it's not named as the SSE-C key in that source... Joe (talk) 06:49, 14 February 2026 (UTC)Reply
On 12 August 2022, the personal computer of a separate LastPass employee (a senior DevOps engineer,
3		blog.lastpass.com
Between the 12th and the 18th August, LastPass rotated any clear text credentials or secrets that may have been accessed by the Incident 1 attacker, along with the AWS Access Keys
1	h	ico.org.uk	I actually don't see the date 12th. I see "LastPass also rotated the AWS Access Keys [...] between 16 August and 18 August 2022." - might that be what you were refering to? JustARandomSquid (talk) 21:36, 6 February 2026 (UTC)Reply Quite right, I have changed it. Joe (talk) 07:06, 14 February 2026 (UTC)Reply
On 20 August, after LastPass had rotated their keys, the attacker extracted the contents of the senior DevOps engineer's Employee Business account vault containing the keys.
1	j	ico.org.uk
On 15 and 22 October 2022, activity by the attacker triggered AWS GuardDuty alerts, however due to errors in the setup of the mailing list and a miscommunication between teams, the LastPass Security operations centre were not made aware of the alerts until 2 November.
1	m	ico.org.uk	Consider citing the previous page though, I didn't notice where the date 22 October came from. JustARandomSquid (talk) 21:36, 6 February 2026 (UTC)Reply
Impact
along with the number of rounds of encryption used for the user's password vault.
5		arstechnica.com	Don't actually see this, unfortunately. Was this in another source, maybe? JustARandomSquid (talk) 21:36, 6 February 2026 (UTC)Reply Hmmm, I have removed the sentence (Googling has found me no other sources). I am certain it was there though. My personal conspiricy theory is: after the ICO report gets published, various journalists update their articles to get rid of things that turned out to be wild speculation. That takes a while and I wrote the article in the period between the report being released and the articles getting updated. I will have to go an get myself a tinfoil hat. :D 07:14, 14 February 2026 (UTC)
It also included the password vaults that were encrypted with users' master passwords.
1	q	ico.org.uk	I can't find this, but that's because there's no page. Any idea where this might be? JustARandomSquid (talk) 21:36, 6 February 2026 (UTC)Reply Doh! There's always one. It was page 14 and I've made the edit.
In 2025, a larger heist of $150 million was also linked to the 2022 data theft.
9	b	krebsonsecurity.com
Legal consequences
In announcing the enforcement action, Information Commissioner John Edwards said that "LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure".
13		ico.org.uk

I'm going to leave this spot check table here. I'll come back to it later. JustARandomSquid (talk) 11:44, 4 February 2026 (UTC)Reply

Comments

Joereddington, a quick Google search reveals that the class action lawsuit in the US has been settled, can you update the article accordingly? JustARandomSquid (talk) 13:27, 4 February 2026 (UTC)Reply
Done. Joe (talk) 13:47, 4 February 2026 (UTC)Reply

I am just going to tick off the easy stuff, stable history and references section. I also see no issues with NPOV, so let's get that ticked off. JustARandomSquid (talk) 13:29, 4 February 2026 (UTC)Reply
I've just taken a swing at dates. Let me know when you feel able to complete the review (I have a pile of marking to do so no rush from my side) Joe (talk) 13:43, 5 February 2026 (UTC)Reply
One thing I noticed in the initial read is that basically all of Background and Attack timeline are sourced to primary sources (either the LastPass website or the ICO report). WP:PRIMARY says to be careful about that. Could some of that be at least corroborated to an independent source, something like ? JustARandomSquid (talk) 14:01, 5 February 2026 (UTC)Reply
Mades sense. For the purposes of the review I'm going to hide behind WP:GANOT - but to talk about your point more generally... Yes, I think that things like the ICO report are PRIMARY, but I also think they are independent and WP:RS. The actual issue here (and I'm quietly slipping into gear on a longer rant) is that broadly, unless forced by law, companies release almost zero information about cyber-attacks other than "It happened" and some things that will later turn about to be media spin when it reaches court. In the majority of cases the law _is_ the ICO reports. If we look at 2015_TalkTalk_data_breach (also a beneficiary of the Feb GA push), four people went thorough full court cases and were sentenced, but we know almost nothing of technical detail from those sources (partly because of the way the UK court system works - indeed, we don't seem to know which of the suspects actually performed the DDOS) and instead everything comes from the ICO. All the secondary sources are just quotes from the ICO. Indeed, I only started this article because the ICO released its report.

Now, I'm sympathetic to the argument that it would be better to view the ICO's report through a secondary source that included commentary and editorial judgement on an agency that, while independent, does have its own motives and bias. Particularly one that included some other major source (court transcripts and so on, often someone like Wired has quite a lot of other good sourcing) but there wasn't a great example in this case. Professionally, what I probably should do is write up such a paper myself at the same time I write the Wikipedia article because then I'd have a few more bits of publication to put in my promotion application, but who has the time? If there were a couple of good academic papers and maybe a book as well, then I'd definitely writing quite a different article, perhaps with ambitions for FA. *shrug* Does that make sense? Joe (talk) 09:38, 6 February 2026 (UTC)Reply
I'm certainly sympathetic to people hiding behind WP:GANOT, not least because we'd have a much smaller GAN backlog if people weren't so pedantic. So, I won't be either. JustARandomSquid (talk) 21:04, 6 February 2026 (UTC)Reply

@Joereddington I've done a spot-check. I've left comments as I go along, I see nothing indicative of broader problems with source-text integrity, just a few issues to be resolved. JustARandomSquid (talk) 21:38, 6 February 2026 (UTC)Reply
I've also looked at the MoS related criteria, and we have no issues with layout, no problematic words to watch, and the lead is an accurate summary of the article. One minor nitpick is the sentence "The incidents led to significant downstream risk because stolen vault backups can be subjected to offline cracking attempts, with the likelihood of compromise depending on factors such as users’ master-password strength and encryption settings (including iteration counts)" which isn't really verified in the body of the article, or even mentioned at all? JustARandomSquid (talk) 21:45, 6 February 2026 (UTC)Reply
I've just reworded the lead for this (I'm not sure I super like my wording, I think it could be smoother). Is there anything I'm missing? I was a bit worried by the spot check, but I think it was mostly the pdf page numbers you and I were using were different. What's our next action here?

Joe (talk) 09:39, 13 February 2026 (UTC)Reply
Did you take a look at the other comments I left in the table? Nothing's super problematic or indicative of any wider issues, but it would be nice to address. JustARandomSquid (talk) 22:34, 13 February 2026 (UTC)Reply
Done :) Joe (talk) 07:14, 14 February 2026 (UTC)Reply
Alrighty then, that should be it! Passing. JustARandomSquid (talk) 08:03, 15 February 2026 (UTC)Reply
Wonderful! Thank you so much for all your work reviewing the article :) Joe (talk) 09:44, 15 February 2026 (UTC)Reply

Add topic