> series: anatomy_of_a_breach —— part: 168 —— year: 2022 —— verdict: cyber_war_vault_theft_and_data_weaponised_with_cruelty<span class="cursor-blink">_</span>_
In December 2022, two events closed the year. LastPass confirmed that attackers — building on the August 2022 source code theft documented in #164 — had accessed a cloud storage environment containing encrypted backups of customer password vaults. Millions of LastPass users' encrypted vaults — containing usernames, passwords, secure notes, and form-fill data for every site they used — were now in the attacker's possession. The security of those vaults depended entirely on the strength of each user's master password. For users with weak master passwords, their entire digital life was compromised.
On 20 December, The Guardian — one of the world's most prominent newspapers — was hit by ransomware that disrupted internal systems and forced staff to work from home. The attack, later confirmed as ransomware, affected internal business systems but did not compromise the newspaper's ability to publish. The Guardian's transparent handling — continuing to report on its own breach — contrasted with the opacity that has characterised many corporate breach responses throughout this series. The ICO investigated, and The Guardian confirmed that UK staff personal data was accessed.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call| # | Breach | Key Lesson |
|---|---|---|
| 157 | Red Cross / ICRC | 515K of the world's most vulnerable. Unpatched Zoho. Humanitarian data targeted. |
| 158 | Ukraine Cyber War | Viasat satellite attack. Wiper malware. Cyber as a weapon of war. |
| 159 | Lapsus$ | Teenagers hack Nvidia, Samsung, Microsoft, Okta. MFA fatigue. 16-year-old from Oxford. |
| 160 | Ronin / Axie ($620M) | Largest crypto heist. Lazarus Group. Started with a fake LinkedIn job offer. |
| 161 | Costa Rica Conti | First national emergency for a cyber attack. 27 government institutions. |
| 162 | Cash App Insider | 8.2M by former employee. Access not revoked on departure. Basic failure. |
| 163 | Twitter 5.4M API | Phone numbers exposed through API enumeration. Facebook, LinkedIn, Twitter — same vulnerability. |
| 164 | NHS Advanced + LastPass | UK: NHS 111 disrupted by MSP ransomware. LastPass source code stolen — the prelude. |
| 165 | Uber (2022) | MFA fatigue + WhatsApp social engineering. Teenager gets full internal access. Again. |
| 166 | Medibank | 9.7M health records. Mental health, HIV, abortion data published as punishment. |
| 167 | Dropbox Source Code | CircleCI phishing captures hardware MFA. 130 repos. FIDO2 is the only answer. |
| 168 | LastPass Vaults + Guardian + Review | Millions of password vaults stolen. The Guardian ransomwared. Fourteen years documented. |
With 168 articles spanning fourteen years, the Anatomy of a Breach series has documented the most complete history of the modern cyber threat landscape in existence. From HMRC's lost CDs to cyber warfare in Europe. From a teenager with SQL injection to teenagers with MFA fatigue. From CryptoLocker's $300 to Ronin's $620 million. The attack techniques evolve. The root causes do not. The controls remain the same.
Penetration testing. Cyber Essentials certification. SOC in a Box monitoring. Incident response capability. Fourteen years of evidence. One conclusion. The organisations that implement these controls survive. The rest fill these pages. The series continues.
<a href="/penetration-testing">Test</a>. <a href="/cyber-essentials">Certify</a>. <a href="https://www.socinabox.co.uk">Monitor</a>. <a href="https://www.cyber-defence.io">Prepare</a>. Fourteen years of evidence demands nothing less.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call