UK Information Commissioner fines a password manager 1.2 million pounds for data breach

February 1, 2026 |

The raison d’etre of password manager companies is to protect and manage customers’ passwords for the plethora of passwords that they must use for their work, play or just personal use. Those companies must store customer passwords/logins in their data bases. Of course it would be disastrous if those companies suffered a data breach and even more damaging if personal details of their customers were stolen. Which is exactly what happened to LasstPass in the UK. The UK Information Commissioner found that LastPass suffered a data breach which resulted in personal information of 1.6 million individuals being compromised. As the media makes clear, the hacker was very thorough in testing the weaknesses in LastPass’s defences.

They first accessed an employee’s corporate lap top to gain encrypted company credentials then targeted another employee who had access to decryption key by way of a known vulnerability in a third party streaming service.  That gave the hackers access to the LastPass vaults which were only protected by a single master password.  That gave them access to the access key to the Amazon Web Service which, combined with other stolen information enabled hackers to extract personal information on the backup database.

As if it need be said, proper defences should not be focused on a perimeter protection.  Comprehensive protection throughout the organisation is necessary.  That means protection at all levels and any point of contact with the internet.

The media release provides:

    • Service which promises to help people improve their security, has failed them, leaving them vulnerable 
    • Combination of two isolated incidents enabled hacker to steal personal information relating to 1.6m customer 
    • ‘Zero knowledge’ encryption system ensures customer passwords and vaults are not decrypted   

We have fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users. 

We found that LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. There is no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass. 

The incidents occurred in August 2022 when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and then was able to capture the employee’s master password. The combined detail from both incidents enabled the hacker to access LastPass’ backup database and take personal information which included customer names, emails, phone numbers, and stored website URLs. 

John Edwards, UK Information Commissioner, said: 

“Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced. 

“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today. 

“I call on all UK business to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks”. 

Details of the two incidents 

Incident one

    • A hacker compromised a LastPass employee’s corporate laptop and gained access to the company’s development environment.
    • No personal information was taken however encrypted company credentials were. If decrypted, this would allow access to the company’s backup database.
    • LastPass took steps to mitigate the hacker’s activity and believed encryption keys remained safe as they were stored outside of the area accessed by the hacker in the account vaults of four senior employees.

Incident two

    • The hacker then targeted one of the senior employees who had access to the decryption keys, gaining access to their personal device via a known vulnerability in a third-party streaming service.
    • A keylogger was installed capturing the employee’s master password and multi factor authentication was bypassed using a trusted device cookie.
    • The hacker then gained access to the employee’s personal and business LastPass vaults, which were linked using a single master password.
    • The hacker then gained access to the employee’s business vault which contained the Amazon Web Service (AWS) access key and decryption key.
    • This information, combined with information taken the day before, enabled the hacker to extract the contents of the backup database which contained the personal information.

Our investigation found no evidence that encrypted passwords and other credentials were able to be unencrypted by the hacker. This is due to LastPass’ use of a ‘zero knowledge’ encryption system, whereby the master password required to access a password vault is stored locally on a customer’s own device and never shared with LastPass. 

The highlights of the Penalty Notice are:

  • the infringements resulted from LastPass allowing its employees, including senior employees with access to highly confidential corporate credentials, to:
    • access both their Personal3  and Employee Business4  LastPass accounts from a personal device, where the latter contained the decryption keys required to access LastPass customers’ personal data; and
    • combine their Personal and Employee Business LastPass accounts so that they could be accessed by a single master password
  • LastPass offers:
    • a password manager product which provides users with an encrypted password vault in which they can store passwords, login credentials, payment information, addresses and secure notes.
    • users the ability to autofill online forms, generate secure online usernames and passwords, store payment information in a digital wallet and automatically monitor and detect if their information has been exposed
  • LastPass employs local-only encryption, which is designed to allow only the LastPass user to decrypt and access their data. All confidential data stored in LastPass users’ vaults is encrypted and decrypted exclusively on the user’s local machine, and the data is only synced with LastPass servers after it has been encrypted, so LastPass itself never has access to the unencrypted data.
  • LastPass  does not have access to, nor does it store the plaintext “master password” that users must enter in order to access their account. It is unable to decrypt the data stored in a user’s vault. The data within a user’s vault is only decrypted locally on their own device after the master password is successfully entered, including when the user accesses their account via the internet or a mobile app.32 LastPass refers to this protection of the contents of users’ vaults as “zero knowledge” encryption.33
  • LastPass combines its local-only encryption model with one-way salted34 hashes35 in order to secure the data stored by its customers in their vaults whilst also allowing for online access and cloud LastPass encrypts user data with Advanced Encryption Standard (“AES”) in Cipher Block Chaining (“CBC”) mode with a 256-bit key generated from each user’s master password. When a user first creates a LastPass account, their master password is converted, via hashing, to an encryption key with the username as the salt. This process is performed entirely on the user’s device. At the time of the Incidents a default of 100,100 rounds of PBKDF2-SHA25636 was used to create the encryption key.  An additional round of hashing is performed in order to generate the master password authentication hash. The hash is then sent to the LastPass server to be used for authentication purposes when the user logs in. The user’s master password and the encryption key are never sent to the LastPass servers and LastPass cannot reverse the authentication hash that it receives to derive the user’s master password.
  • For data backup and disaster recovery purposes, LastPass’ database (including data stored in end-user password vaults) is routinely backed up to Amazon Web Services (“AWS”) Simple Storage Service (“S3”) buckets.
  • the Backup Database contained data including company names, end-user names, website URLs, billing addresses, email addresses, telephone numbers and IP addresses. This data was encrypted whilst it was stored in the AW5 53 buckets, but was decrypted when accessed and exfiltrated by the threat actor. Data stored within LastPass password vaults, including usernames, passwords and secure notes, was also held on the Backup Database.
  • In order to access and download the Backup Database held in the S3 buckets, two separately stored credentials were required, specifically the SSE-C Key, which was encrypted and stored within a source code repository,56 and an access key (the “AWS Access Key”). As the SSE-C Key was encrypted at rest, a decryption key was also required in order to decrypt the SSE-C key for use
  • The decryption key needed to decrypt the SSE-C Key was stored within the Employee Business account vaults of four senior LastPass employees, including the Senior Development Operations engineer who was targeted during Incident 2 (the “Senior Development Operations Engineer”)
  • the data affected was:
    • the email addresses of 1,631,410 UK data subjects had been decrypted and exfiltrated;
    • the IP addresses of devices used by 1,631,410 UK data subjects to access LastPass vaults had been decrypted and exfiltrated;
    • the names of 159,809 UK data subjects had been decrypted and exfiltrated;
    • the telephone numbers of 248,407 UK data subjects had been decrypted and exfiltrated;
    • the physical addresses of 118,103 UK data subjects had been decrypted and exfiltrated; and
    • data stored in the LastPass vaults of 1,216,107 UK data subjects (including website usernames, passwords, secure notes and form-filled data) had been exfiltrated, but in an encrypted form
  • The Commissioner found:
    • failed to implement appropriate technical and organisational measures to ensure an appropriate level of security for the personal data for which it was responsible and the ongoing confidentiality and integrity of its processing systems and services because of its practice:
      • of allowing senior employees with access to highly confidential corporate information to access their Employee Business vaults via the internet from their unmanaged personal devices; and
      • allowing its employees to link their Personal and Employee Business accounts so that they could be accessed by a single master password
    • that LastPass, as a provider of software designed to be used for the management of usernames, passwords and other confidential information, with significant technical and financial resources at its disposal, could legitimately have been expected to have enforced stringent security processes and procedures across its operations in order to ensure, to the greatest extent possible, the security of its customers’ personal data.
    • that whilst allowing employees to use their own devices to access company software is a more cost-effective option, it presents some security risks
    • that there should be a a clear separation between personal data processed on behalf of the controller and that processed for the device owner’s own purposes;
    • there needs to be a limit on the devices to those which they had assessed as providing an appropriate level of security for the personal data being processed;
    • LastPass allowed its employees, including senior employees with access to highly confidential corporate credentials, to access their Employee Business accounts using their personal devices despite the fact that if an employee’s personal device was compromised, this could give an attacker relatively easy access to the information stored within their Employee Business account.
    • the failure to impose a strict separation of work and personal activities enabled the hacker to  exploit a known vulnerability in the software of the third-party streaming service “Plex,” which was installed on the personal device of a senior LastPass Development Operations engineer who was based in the USA and was used the used for his personal purposes.  Despite, LastPass implementing the measures protecting against unauthorised remote access to the internal LastPass network, the threat actor, using a keylogger installed by exploiting the vulnerability in the third-party Plex streaming service, was able to obtain the engineer’s master password. 
    • when taking into account the sensitivity of the information which was stored within the Senior Development Operations Engineer’s Employee Business vault, specifically the AWS Access Keys and decryption key required to decrypt the AWS SSE-C Key, LastPass should have restricted access to this vault to company-managed devices on which only verified, approved and secure software and applications were installed.
    • infringed the Act by  allowing its employees, including senior employees with access to highly confidential corporate credentials, to link their Employee Business and Personal accounts so that they could be accessed using the same master password which enabled them to capture the engineer’s master password and use it, along with stolen trusted device cookies, to gain access to both his Employee Business and Personal accounts, with the former containing the AWS Access Key and decryption keys.

 

 

 

 

Leave a Reply