LastPass fined £1.2M by ICO for comprehensive data breach

Published: 15 December 2025
Last updated: 15 December 2025
lastpass-logo-million-fine

The Information Commissioner’s Office (ICO) has imposed a fine of £1.2 million on LastPass UK following a data breach that affected 1.6 million people.

According to the United Kingdom’s data protection authority, the password manager failed to implement sufficiently robust technical and security measures, which enabled a hacker to infiltrate the company’s backup database.

Because of this, two incidents occurred in August 2022. In the first case, a hacker was able to lay their hands on a corporate laptop belonging to one of LastPass’s employees and subsequently access the company’s development environment.

ADVERTISEMENT

The attacker didn’t succeed in exfiltrating personal information, but they did manage to steal encrypted company credentials. LastPass believed that the encryption keys remained safe because they were stored somewhere on the company’s network that the hacker couldn’t access.

The threat actor then targeted a senior employee who had access to the decryption keys. They managed to gain access to the employee’s personal device via a known vulnerability in a third-party streaming service. To retrieve the worker’s company credentials, the attacker installed a keylogger. Multi-factor authentication was then bypassed by using a trusted device cookie.

personal-information-of-1-6-million-people
Image by Cybernews.

Once the hacker obtained the employee’s master password, they were able to access the worker’s personal and business LastPass vaults, which contained the Amazon Web Service (AWS) access key and decryption key. Combining all the information the attacker had gathered, they were able to extract the contents of the backup database, which contained personal information of 1.6 million people, including names, emails, phone numbers, and stored website URLs.

The ICO found no evidence that encrypted passwords and other credentials could be decrypted by the hacker due to LastPass’s zero-knowledge encryption system. This means that the master password to access the password manager’s vault was stored locally on the employee’s device and was never shared with LastPass.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

For these incidents and the impact of the data breach, the ICO has imposed a £1.2 million fine on LastPass.

“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today,” UK Information Commissioner John Edwards said in a statement.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT