UK Fines LastPass for Major Data Breach Impacting 1.6 Million Users
The UK Information Commissioner's Office (ICO) has fined LastPass £1.2 million ($1.6 million) following a significant data breach in 2022 that compromised the personal information of up to 1.6 million UK users. The breach occurred in two stages: initially, an attacker compromised a company developer's work-issued laptop, exfiltrating source code and technical documentation, including unencrypted and encrypted credentials. This access was later leveraged to target a senior engineer's personal laptop, allowing the attacker to obtain credentials and keys used to access and decrypt storage volumes within LastPass's cloud-based storage service. The ICO determined that LastPass failed to implement sufficiently robust technical and security measures to protect customer data, leading to the substantial penalty.
Although the attackers obtained encrypted versions of sensitive data, including website names and passwords, the ICO noted there was no evidence that customer passwords were decrypted, as these are stored locally on user devices. However, security experts have raised concerns about the potential for brute-force attacks on the stolen vaults, with reports linking the breach to cryptocurrency thefts. The ICO emphasized the importance of strong security practices for password management services and urged all UK businesses to take steps to protect customer data in light of this incident.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
ICO fines LastPass £1.2 million over the 2022 breach
On 2025-12-11, the UK Information Commissioner's Office announced a £1.2 million fine against LastPass UK Ltd for failing to implement adequate technical and organizational security measures. The ICO said the 2022 breach affected up to 1.6 million people in the UK and cited shortcomings in device security, credential policy, alerting, and incident response.
Customer data and encrypted vaults are exfiltrated from LastPass
Following the two-stage intrusion, attackers stole customer information and encrypted password vault data, including names, email addresses, phone numbers, physical addresses, and website URLs. Reports said there was no evidence that master passwords themselves were decrypted, though weak vault passwords remained at risk of brute-force attacks.
Attackers exploit Plex flaw on senior engineer's personal device
Later in 2022, attackers targeted a US-based senior DevOps engineer's personal desktop by exploiting CVE-2020-5741 in Plex Media Server. The compromise gave them access to additional credentials and decryption-related material needed to reach customer data.
Attackers compromise a LastPass developer's laptop and steal source code
In 2022, attackers breached a LastPass developer's work-issued MacBook Pro and development environment, exfiltrating source code and company credentials. This initial intrusion became the first phase of the wider LastPass breach.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
UK’s ICO Fine LastPass £1.2 Million Over 2022 Security Breach
hackread.com
Open sourceLastPass hammered with £1.2M fine for 2022 breach fiasco
go.theregister.com
Open sourceLastPass hammered with £1.2M fine for 2022 breach fiasco
theregister.com
Open sourceUK fines LastPass £1.2 million for data breach affecting 1.6 million people
therecord.media
Open sourceUK fines LastPass over 2022 data breach impacting 1.6 million users
bleepingcomputer.com
Open sourcePassword manager provider fined £1.2m by ICO for data breach affecting up to 1.6 million people in the UK
ico.org.uk
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
LastPass Breach Exposed Customer Vault Backups After DevOps Engineer Compromise
LastPass disclosed that attackers expanded an initial August 2022 development-environment breach into a broader compromise that reached customer vault backups and account data. According to the company and subsequent reporting, the intruders used source code and technical information stolen in the first intrusion, combined with intelligence from a separate third-party breach, to target a DevOps engineer with access to decryption keys and AWS resources. The attackers compromised the engineer’s home computer through a vulnerable media software package, installed a keylogger, captured the employee’s master password after MFA, and then accessed the engineer’s corporate vault and shared folders. The stolen material included encrypted secure notes containing credentials and decryption keys for AWS S3 production backups, other cloud storage resources, and related database backups, allowing access to a separate cloud storage environment. LastPass said the attackers copied customer account information and metadata, plus backups of customer vault data containing unencrypted website URLs and **AES-256**-encrypted usernames, passwords, secure notes, and form data; later guidance urged users with weak master passwords to change stored credentials. The fallout triggered lawsuits, regulatory scrutiny including action by the UK ICO, and ongoing concern that weak master passwords could allow criminals to crack vault contents offline.
May 25, 2026
Capita Fined for Security Failings in Massive Data Breach Affecting 6.6 Million Individuals
The UK Information Commissioner's Office (ICO) imposed a record £14 million fine on Capita, the country's largest outsourcing company, following a major cyberattack in 2023 that compromised the personal data of 6.6 million people. The penalty was split between Capita plc (£8 million) and Capita Pension Solutions Limited (£6 million), reflecting the widespread impact across both the parent company and its pension subsidiary. The breach affected 325 out of more than 600 organizations that rely on Capita’s services, exposing sensitive information such as bank and credit card details, biometric data, passport information, login credentials, and even child data. For some individuals, the stolen data included details of criminal records, financial information, and other special category data. The ICO’s investigation found that Capita failed to implement adequate technical and organizational measures to secure personal data, leaving it vulnerable to attack and unable to respond effectively when the breach occurred. The attack began when a malicious JavaScript file was downloaded onto an employee’s device on March 22, 2023, but the compromised device was not quarantined for 58 hours, allowing attackers to access and exfiltrate data. Capita initially claimed there was no evidence of data compromise, but subsequent findings contradicted this, revealing the extent of the breach. The ICO originally considered a much higher fine of £45 million, but reduced the amount after Capita demonstrated improvements in security, provided support to victims, and cooperated with authorities including the National Cyber Security Centre. The breach led to significant anxiety and stress among affected individuals, with some reporting financial losses. Despite the incident, Capita continued to secure substantial government contracts, with 241 contracts worth £6 billion awarded since the breach. The ICO emphasized that no organization is too large to be held accountable for data protection failures and highlighted the importance of proactive cybersecurity measures. The fine represents approximately 12 percent of Capita’s 2024 post-tax profits, underscoring the financial and reputational consequences of inadequate data security. The incident serves as a stark reminder to all organizations of the critical need to safeguard personal data and maintain robust incident response capabilities.
Mar 21, 2026
Password Manager Security and Trust: Bitwarden ‘Cupid Vault’ Launch and LastPass Post-Breach Rebuild
Bitwarden launched **‘Cupid Vault’**, a feature aimed at safer credential sharing by letting free-tier users create a two-person shared vault as an *Organization* and invite a trusted person via email. The shared vault is **isolated** from the user’s personal vault, supports revocation of access, and includes a **fingerprint phrase** verification step intended to reduce adversary-in-the-middle enrollment risks; both members can edit or delete items in the shared collection. LastPass’s CEO described the company’s ongoing effort to rebuild trust and security culture following the **2022 intrusions**, which began with access to parts of the development environment via a **compromised developer account** and theft of source code/technical data. LastPass said information from that initial compromise enabled subsequent access to customer-related data, including **customer account metadata** (e.g., names, billing addresses, emails, phone numbers, IP addresses) and a **backup copy of encrypted customer vault data**, framing the incident as a catalyst for significant security program changes.
Mar 21, 2026