In 2022, LastPass allegedly committed a series of security failures that led to a massive leak of user data. According to CyberInsider, attackers gained access to the company’s development environment and then to user information stored inside encrypted vaults. The UK’s Information Commissioner’s Office (ICO) concluded that the company had not implemented adequate protections — particularly in access control, environment segmentation, and monitoring mechanisms capable of detecting early signs of intrusion.
The report states that the breach affected roughly 1.6 million users in the United Kingdom alone — including email addresses, account metadata, and other information that, while encrypted or partially protected, could still increase the risk of future targeted cyberattacks.
The UK regulator found LastPass’s remediation efforts insufficient and too slow, noting that the company failed to quickly implement mechanisms to mitigate the impact of the breach. The ICO concluded that LastPass violated fundamental information security principles, resulting in the financial penalty.
LastPass had already faced criticism for how it communicated about the incident — according to CyberInsider, the company released information slowly and in stages, making it difficult for users to assess the severity of the threat. Regulators reportedly cited this as a factor that worsened the assessment of the situation.
Fortunately, no user passwords were exposed in plaintext. Passwords and private notes were encrypted using each user’s master password, which LastPass never stored — consistent with its zero-knowledge model. User passwords were not decrypted during the attack, but they were stolen in encrypted form, and their safety depends entirely on the strength of the master password. If that password was weak or leaked elsewhere, some users could face long-term brute-force risks (attackers trying millions of combinations until one succeeds).