LastPass, a widely used password management service that helps individuals and businesses store and manage their login details securely, has been fined £1.2 million by the UK’s Information Commissioner’s Office (ICO) following a major data breach.
The incident dates back to 2022 and ultimately affected up to 1.6 million people in the UK alone. LastPass is one of the most recognisable password managers on the market, with more than 20 million users worldwide and around 100,000 businesses relying on its services. That scale, combined with the sensitive nature of the data it holds, makes this breach particularly significant.
What happened in the LastPass breach?
The ICO’s investigation found that the breach unfolded in two stages. In August 2022, attackers compromised the corporate laptop of a LastPass employee, gaining access to source code and internal technical information. That information was then used several months later to target the personal laptop of a senior engineer.
Through this second attack, hackers obtained credentials and encryption keys that allowed them to access cloud-based backup storage. This storage contained customer data, including encrypted copies of password vaults.
While LastPass maintains that there is no evidence customer passwords were decrypted, the ICO concluded that the company failed to put sufficiently robust technical and organisational measures in place to protect personal data.
What data was exposed?
According to regulators and security experts, the attackers were able to access:
- Encrypted password vault data, including usernames and passwords
- Website URLs and metadata linked to stored accounts
- Some unencrypted personal information, such as email addresses, IP addresses and telephone numbers
Although strong encryption was used, cybersecurity specialists have warned that stolen vaults still carry risk, particularly for users who reused passwords elsewhere or used weak master passwords.
Independent reporting has linked the breach to ongoing financial losses, including cryptocurrency thefts believed to be connected to compromised credentials. Although there is no official confirmation that all such losses directly resulted from decrypted LastPass vaults.
In announcing the fine, the ICO said LastPass had “failed its customers,” leaving them exposed to avoidable risk. The regulator stressed that password managers remain a recommended security tool, but companies offering these services must meet a very high standard.
As Information Commissioner John Edwards put it, customers had every right to expect the personal information they entrusted to LastPass would be kept safe — and in this case, that expectation was not met.
What this means for users
The LastPass breach has become a cautionary tale about how cyber incidents can unfold over time, and how weaknesses in governance, staff practices and supplier security can be just as important as the technology itself.
If you were a UK LastPass user during the period affected by the breach and believe your personal data may have been compromised, you may be entitled to compensation. We are keeping a close eye on developments and will let you know if any of our trusted legal partners decided to pursue a claim.
Join the Claim connects consumers with SRA-regulated lawyers. You can check your eligibility if a claim is open with one of our trusted legal partners. If a group action has not yet been launched, simply register your interest, and we’ll keep you informed if a partner firm decides to take a claim forward.
