Overview
- Regulators say the 2022 incident involved two linked intrusions, starting with a developer’s compromised MacBook and followed by a DevOps engineer’s personal PC hacked via a Plex vulnerability, where a keylogger captured a master password and a session cookie to bypass MFA.
- The attacker obtained an AWS access key and a decryption key and, using the previously stolen SSE‑C material, copied backup databases hosted in the cloud.
- Stolen data included encrypted vault backups and customer metadata such as names, email addresses, phone numbers, IP addresses, and physical addresses, with the ICO reporting no evidence that passwords were decrypted.
- The ICO faulted a policy that let senior staff link personal and business vaults under the same master password, which helped the attacker reach sensitive decryption keys.
- Alerting gaps slowed detection after AWS GuardDuty notifications were sent to an outdated distribution list during a transition from GoTo, with unusual activity flagged October 15–22, 2022 but not triaged until November 2; some researchers continue to claim weak-vault cracking occurred, a point the regulator does not confirm.