ico.org.uk | The Information Commissioner’s Office (ICO)
Date 11 December 2025
The Information Commissioner’s Office (ICO) has fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users.
Service which promises to help people improve their security, has failed them, leaving them vulnerable
Combination of two isolated incidents enabled hacker to steal personal information relating to 1.6m customer
‘Zero knowledge’ encryption system ensures customer passwords and vaults are not decrypted
We have fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users.
We found that LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. There is no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass.
The incidents occurred in August 2022 when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and then was able to capture the employee’s master password. The combined detail from both incidents enabled the hacker to access LastPass’ backup database and take personal information which included customer names, emails, phone numbers, and stored website URLs.
John Edwards, UK Information Commissioner, said:
“Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced.
“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today.
“I call on all UK business to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks”.
Details of the two incidents
Incident one
A hacker compromised a LastPass employee’s corporate laptop and gained access to the company’s development environment.
No personal information was taken however encrypted company credentials were. If decrypted, this would allow access to the company’s backup database.
LastPass took steps to mitigate the hacker’s activity and believed encryption keys remained safe as they were stored outside of the area accessed by the hacker in the account vaults of four senior employees.
Incident two
The hacker then targeted one of the senior employees who had access to the decryption keys, gaining access to their personal device via a known vulnerability in a third-party streaming service.
A keylogger was installed capturing the employee’s master password and multi factor authentication was bypassed using a trusted device cookie.
The hacker then gained access to the employee’s personal and business LastPass vaults, which were linked using a single master password.
The hacker then gained access to the employee’s business vault which contained the Amazon Web Service (AWS) access key and decryption key.
This information, combined with information taken the day before, enabled the hacker to extract the contents of the backup database which contained the personal information.
Our investigation found no evidence that encrypted passwords and other credentials were able to be unencrypted by the hacker. This is due to LastPass’ use of a ‘zero knowledge’ encryption system, whereby the master password required to access a password vault is stored locally on a customer’s own device and never shared with LastPass.
Advice and guidance
We urge organisations to ensure internal security policies explicitly consider and address data breach risks. Where risks are identified access should be restricted to specific user groups.
Businesses wishing to review their procedures should turn to our and the National Cyber Security Centre websites which provide a rich source of information detailing ways to improve practices including Working from home – security checklist for employers, Data security guidance and Device security guidance.
