Could You Be Affected by the LastPass Data Breach?

LastPass has been fined over £1 million after major data breach affected 1.6 million UK users. Was your information compromised?  

Register your interest
  • Quick survey
  • Register interest
  • Stay informed

Join the Claim isn’t a law firm. We connect you with regulated UK firms that run group action claims. If one of our partner firms takes this case forward, we’ll share more details, including how to check your eligibility.
Join the Claim Limited is a claims management company. This claim is not regulated by the Financial Conduct Authority. Join the Claim Limited is authorised and regulated by the FCA (FRN: 1053404) for regulated claims management activities only.

LastPass Password Manager app play store page on the display of a black mobile smartphone on dark marble stone background.
LastPass Password Manager app play store page on the display of a black mobile smartphone on dark marble stone background.

Quick & Simple

Register your interest

Stay Informed

Get justice

Overview

LastPass, a widely used password management service, has been fined £1.2 million by the UK’s Information Commissioner’s Office (ICO) following a major data breach. 

 

According to regulators and security experts, the attackers were able to access:

  • Encrypted password vault data, including usernames and passwords
  • Website URLs and metadata linked to stored accounts
  • Some unencrypted personal information, such as email addresses, IP addresses and telephone numbers

 

The incident, which dates back to 2022, affected up to 1.6 million people in the UK. The sensitive nature of the data held by LastPass, makes this breach particularly significant. In announcing the fine, the ICO said LastPass had “failed its customers,” leaving them exposed to avoidable risk.

However, none of the ICO’s fine will go to those affected by the breach.

If you were a UK LastPass user during the period affected by the breach and believe your personal data may have been compromised, you may be entitled to compensation.

Register your interest today, and we will keep you updated if one of our regulated UK partner law firms is able to take this claim forward.

Register your interest

LastPass data breach – At a glance

Status

Stay Informed

Potentially Affected

1.6 million in the UK

ICO fine

£1.2 million

Latest update

January 2026

Register your interest

Why register with Join the Claim?  

Register your interest

Join the Claim is bringing people together — uniting those who want answers, accountability and stronger data protections from the businesses they trust. 

Staying informed is the first step towards change. By registering alongside others affected, you’re showing that people expect better. And that when something goes wrong, they want to see it put right. 

Register your interest

What do we know about the LastPass data breach?

Register your interest
  • The ICO’s investigation found that the breach unfolded in two stages. In August 2022, attackers compromised the corporate laptop of a LastPass employee, gaining access to source code and internal technical information. That information was then used several months later to target the personal laptop of a senior engineer.
  • Through this second attack, hackers obtained credentials and encryption keys that allowed them to access cloud-based backup storage. This storage contained customer data, including encrypted copies of password vaults. 
  • Independent reporting has linked the breach to ongoing financial losses, including cryptocurrency thefts believed to be connected to compromised credentials. Although there is no official confirmation that all such losses directly resulted from decrypted LastPass vaults. 
Register your interest

How Join the Claim works

Quick survey

Take a moment to answer a few simple questions so we can understand your connection and keep you updated.

Register interest

Share your details so we can keep you informed if any updates become available.

Join a claim

If a partner law firm takes this claim forward, we’ll let you know the next steps and how to join.

Register your interest

Latest updates on the LastPass data breach

  • January 2026

    Following regulatory action and ongoing concerns about the handling of personal data, Join the Claim opens registration for UK users who believe they may have been affected by the LastPass data breach. 

  • December 2025

    The ICO issues a £1.2 million fine against LastPass’s UK entity, confirming that up to 1.6 million UK users were affected. The regulator states that users had a right to expect stronger protection and that the failings left them exposed to unnecessary risk. 
     

  • 2022

    LastPass publicly confirms that customer information was accessed. The company begins notifying users and advising security steps such as password changes and enabling multi-factor authentication. 

We’ll provide more updates on the data breach as they occur.  

Join the claim
Join the claim

Are you affected by the LastPass data breach?

Register to stay updated and we’ll let you know if a partner law firm takes this claim forward. 

Register your interest

Frequently asked questions about the LastPass data breach

LastPass is a password management service that allows users to store and manage login details for websites and apps in one encrypted digital vault. It is used by millions of individuals and businesses worldwide. 

Attackers first gained access to internal systems via an employee’s device, then later used that information to access cloud-based backup data. This led to unauthorised access to customer information, including encrypted vault data. 

The UK’s data protection regulator estimates that up to 1.6 million UK users were affected by the breach. 

The attackers accessed a mix of encrypted and unencrypted data, including: 

  • Encrypted password vault data (such as usernames and passwords stored in vaults)
  • Website URLs linked to stored accounts
  • Some personal information, such as email addresses, IP addresses and phone numbers 

 

LastPass and regulators have said there is no evidence that passwords were decrypted, but stolen encrypted data can still carry long-term risks. 

The Information Commissioner’s Office (ICO) fined LastPass £1.2 million after finding it had failed to put sufficiently robust technical and organisational security measures in place. The regulator said users had a right to expect stronger protection for such sensitive data. 

Not necessarily. Security experts and regulators continue to recommend password managers as a safer alternative to reusing passwords across multiple sites. However, the breach highlights that password managers are not risk-free and that strong governance, staff security practices and supplier controls are critical. 

If you were a UK LastPass user during the period affected by the breach and are concerned about how your data was handled, you can register your interest to stay informed about potential next steps and options that may become available with our trusted legal partners. 

We are not a law firm. Our role is to keep people informed about potential group actions if one of our regulated UK partner law firms is able to take this claim forward.  

By registering, you’ll stay up to date with any developments — from investigations to possible legal action.  

No. Registering simply means you’ll receive updates. If a law firm later takes on the case, you’ll be given the option to learn more about the process and any potential costs before deciding whether to take part. 

A group action claim allows people affected by the same issue to take action together. This strength in numbers helps stand up to big organisations. Join the Claim helps connect people with law firms so these actions have a real impact. 

Rated Excellent


on REVIEWS.io

Rated Excellent on REVIEWS.io

Join the claim
Join our Happy Clients
Clifford
Very easy to sign up, hope its sorted soon
Susan
Very easy and quick to complete the claim Everything was explained well and fees payable in etc were made very clear
Peter
So easy to sign up for the claim
Join our Happy Clients

You might also like

See more resources

Close-up of a person using a smartphone with the ChatGPT app open.
  • Data Breach, News, Tech

Are ChatGPT conversations appearing in Google search results? Here’s what we know.

Reports claim ChatGPT conversations are appearing in Google search results. We examine what's really happening....
Close-up of the NHS - National Health Service logo on the exterior of St. Thomas Hospital in London, UK
  • Data Breach, Health & Medical, News

What is the NHS Single Patient Record, and why is it being debated?

Plans for a NHS Single Patient Record moved a step closer last week. But there...
An expert hacker is decrypting data while hiding their face
  • Data Breach, News

Hackers are changing tactics – and it could mean more data breaches

Hackers are increasingly exploiting software vulnerabilities rather than stealing passwords. Here's what that could mean...

We connect consumers with their legal dream teams to ensure they get the compensation and support they deserve.

claims
About
Legal
Connect

Join the Claim is not a law firm. We connect individuals with top law firms for group action claims, and our service is free to use. While we may receive a fee from the law firms we introduce you to, this will not affect your costs or compensation. We are not responsible for the advice or services provided by these firms. Please note, nothing on this website is legal advice, and while we check claim eligibility, we cannot guarantee a law firm will accept a case.

Join the Claim is a trading name of Join the Claim Limited, authorised and regulated by the Financial Conduct Authority (FRN: 1053404). Registered in England and Wales, Company No: 16245278. Registered office: 32 Eyre Street, Sheffield, S1 4QZ.

© Join the Claim All Rights Reserved |

2026
Go to claims