ICO levies £1.2 million fine against LastPass — data breach compromised info on 1.6 million users

1. Pro
2. Security

ICO levies £1.2 million fine against LastPass — data breach compromised info on 1.6 million users News By Benedict Collins published 11 December 2025

The ICO has made its final decision regarding the LastPass breach

Comments (0) ()

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: LastPass)

• The ICO has fined LastPass £1.2 million ($1.6 million)
• Over 1.6 million users had data exposed in a data breach
• The exposed data included names, emails, phone numbers, and URLs

The UK Information Commissioners Office has fined password manager provider LastPass £1.2 million ($1.6 million) for a 2022 data breach that affected 1.6 million users.

According to the ICO, LastPass “failed to implement sufficiently robust technical and security measures,” that resulted in two separate data breach incidents.

Since the data breach, researchers have linked a string of six figure cryptocurrency heists to said LastPass breach.

You may like

• Capita handed huge £14m fine over security failings which lead to data breach
• Thousands of civil servants have password exposed for over a year in 'particularly dangerous' incident
• Evil scam targets LastPass users with fake death certificate claims

Businesses take note

The breach began with an attacker obtaining encrypted company credentials after compromising a company laptop which had access to the LastPass development environment

The attacker then gained access to the LastPass backup database by compromising a senior employee’s laptop with a keylogger, and stealing a trusted device authentication cookie.

With access to both the employee’s personal and business accounts, the hacker then stole an Amazon Web Service (AWS) access key and decryption key.

The attacker used the previously acquired keys to extract the contents of the backup database filled with personal information.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

LastPass operated using the zero knowledge encryption format, so no stored passwords have ever been confirmed to have been decrypted. The attacker did however exfiltrate customer names, emails, phone numbers, and stored website URLs.

John Edwards, UK Information Commissioner, said, “Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced.

“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today.

“I call on all UK business to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks”.

A LastPass spokesperson said, “We have been cooperating with the UK ICO since we first reported this incident to them back in 2022. While we are disappointed with the outcome, we are pleased to see that the ICO’s decision has recognized many of the efforts we have already taken to further strengthen our platform and enhance our data security measures. Our focus remains on delivering the best possible service to the 100,000 businesses and millions of individual consumers who continue to rely on LastPass.”

The best password manager for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best password manager1. Best overall:NordPass2. Best for mobile:RoboForm3. Best for syncing and sharing:Keeper

TOPICS LastPass Benedict CollinsSocial Links NavigationSenior Writer, Security

Benedict has been with TechRadar Pro for over two years, and has specialized in writing about cybersecurity, threat intelligence, and B2B security solutions. His coverage explores the critical areas of national security, including state-sponsored threat actors, APT groups, critical infrastructure, and social engineering.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the Centre for Security and Intelligence Studies at the University of Buckingham, providing him with a strong academic foundation for his reporting on geopolitics, threat intelligence, and cyber-warfare.

Prior to his postgraduate studies, Benedict earned a BA in Politics with Journalism, providing him with the skills to translate complex political and security issues into comprehensible copy.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Capita handed huge £14m fine over security failings which lead to data breach    Thousands of civil servants have password exposed for over a year in 'particularly dangerous' incident    Evil scam targets LastPass users with fake death certificate claims    Nearly 180k records exposed in billing platform breach - here’s what we know    Nearly 58 billion personal data points have been leaked online since 2004, new study reveals    In the wake of the Louvre heist, Proton steps in to offer free password protection    Latest in Security Hackers distribute thousands of phishing attacks through Mimecast's secure-link feature    16TB of corporate intelligence data exposed in one of the largest lead-generation dataset leaks    Proton Pass just made it even easier for developers to retrieve secrets — and that's a win for everyone involved    Fifty US retailers sent nearly 42 billion emails during the Black Friday hype — and they were loaded with sneaky ways to track your habits    Google adds prompt injection defenses to Chrome    Maximum severity React2Shell flaw exploited by North Korean hackers in malware attacks    Latest in News Mullvad retires OpenVPN support on desktop, pushing all users to WireGuard    ICO levies £1.2 million fine against LastPass — data breach compromised info on 1.6 million users    Switzerland will revise proposed law change after backlash from tech industry    How to watch Celtic vs AS Roma: Europa League 2025/26 free stream, TV channels, kick-off time    ‘They gave us the iPhone camera’: F1 producer Jerry Bruckheimer on Apple’s ‘phenomenal’ involvement in the movie’s production    The Galaxy Z TriFold has a neat PC trick that could justify its price tag    LATEST ARTICLES

1. 1Switzerland will revise proposed law change after backlash from tech industry
2. 2Disney and OpenAI are set to open the vault to Sora — yet an AI Mickey feels like magic lost
3. 3Nvidia develops new software to help track chips following smuggling discovery
4. 4Goodbye June review: New Netflix movie is a near flawless directorial debut for Kate Winslet — but you’ll cry your eyes out
5. 5Mullvad retires OpenVPN support on desktop, pushing all users to WireGuard