Three Years Later, the Bill Arrives: UK Fines LastPass Over 2022 Breach

Aegiron 5 mins0

The UK’s data protection authority has fined password manager LastPass £1.6 million after finding that the company did not do enough to protect user data during its 2022 security breach.

The fine was announced in December 2025 by the Information Commissioner’s Office (ICO) and relates to the exposure of personal data belonging to around 1.6 million users in the UK. Globally, the number of affected users was much higher.

According to the ICO, LastPass failed to put proper technical and organisational security measures in place, leaving customer data at risk.

What Happened

The breach dates back to 2022 and happened in two connected stages.

In the first stage, attackers broke into a LastPass developer’s laptop. This gave them access to the company’s internal development systems, where they stole source code and encrypted company credentials. At the time, LastPass said customer data had not been accessed.

However, this initial access helped attackers prepare a second, more serious attack.

In the second stage, the attackers targeted a senior DevOps engineer who had high-level access to LastPass systems. They installed a keylogger on the employee’s personal laptop, allowing them to capture login details, session tokens, and cloud access keys.

Using those credentials, the attackers accessed backup databases stored on Amazon Web Services (AWS) and copied large amounts of customer data.

What Data Was Exposed

The stolen backups included both encrypted and unencrypted information.

Unencrypted data included:

  • Names
  • Email addresses
  • Phone numbers
  • Billing addresses
  • IP addresses used to access LastPass
  • Website links saved in password vaults

Encrypted data included:

  • Usernames and passwords
  • Secure notes
  • Saved form details

LastPass uses a system where master passwords are never stored by the company, and investigators found no evidence that these passwords were directly decrypted. However, the ICO warned that users with weak master passwords remain at risk, as attackers can still try to crack encrypted vaults over time.

Why the ICO Took Action

The ICO’s investigation found several security problems inside LastPass, including:

  • Employees having broader access to sensitive cloud storage than necessary
  • Poor restrictions around backup data stored in AWS
  • A lack of tools to detect malware like the keylogger used in the attack
  • Insufficient monitoring of access to critical systems

ICO Commissioner John Edwards said LastPass “failed its users” and added that customers had a right to expect their personal information to be kept safe.

Ongoing Impact

Although the breach happened in 2022, its effects have continued for years. Security researchers have linked more than $438 million in stolen cryptocurrency to attacks connected to this incident, with thefts continuing into late 2024.

Many of these losses involved users whose vaults were protected by weak master passwords, which attackers were able to crack using the stolen backup data.

What This Means Going Forward

The ICO said password managers can still be useful tools, but companies that run them must have strong internal security controls, especially when handling backup data and cloud systems.

For users, the advice remains the same:

  • Use strong, unique master passwords
  • Enable multi-factor authentication
  • Stay alert for suspicious activity

For companies, the fine serves as a reminder that security failures can have long-lasting consequences, even years after a breach first occurs.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.