2022 LastPass data breach

Two related security incidents were disclosed by the password manager LastPass in 2022. In the first incident, an attacker accessed parts of LastPass's development environment and exfiltrated source code repositories and technical documentation, including an encrypted copy of the key used to protect backups of customer data stored in Amazon S3.

In a second incident, a senior DevOps engineer's personal computer was compromised, and the attacker used a keystroke logger to obtain the employee's credentials and access an internal vault holding further keys. According to the UK Information Commissioner's Office (ICO), this enabled access to and exfiltration of a backup database and copies of some customers' password vault data, which included both unencrypted fields (such as some website URLs) and encrypted fields (such as usernames and passwords).

The breach prompted litigation and regulatory scrutiny, including a monetary penalty issued by the ICO in November 2025 against LastPass UK Ltd for failures to implement appropriate technical and organisational measures affecting over one million UK data subjects. The breach led to further incidents because stolen vault backups can be subjected to offline cracking attempts: in 2025 LastPass settled a class action lawsuit in the amount of $24.5 million for losses incurred by customers whose vaults had been accessed.

Background

LastPass stores users' credentials in encrypted "vaults". At the time of the incidents, LastPass operated its production environment in physical data centres and used Amazon S3 "buckets" for backup storage; it secured those backups using server-side encryption with a SSE-C key.[a] The SSE-C key was always encrypted when not in use, and only four people at LastPass were able to decrypt the key itself.[1]: 15 

During the relevant period, LastPass permitted employees to link "Personal" and "Employee Business" LastPass accounts under a single master password.[1]: 15 

Attack timeline

  • Between 8 and 11 August[2] 2022, an attacker compromised the laptop of a software developer at LastPass and downloaded 14 of LastPass's source code repositories,[1]: 16  along with technical documentation and an encrypted version of the SSE-C key[2] that secured the backups of LastPass's production database inside AWS S3 buckets.[1]: 15  However, the attacker would not have been able to decrypt the key. LastPass refers to this as Incident 1.[2]
  • On 11 August 2022, an AWS GuardDuty alert was triggered and sent to the LastPass security operations centre.[1]: 15 
  • On 12 August 2022, the personal computer of a different LastPass employee (a senior DevOps engineer according to LastPass),[3] who was one of the four people who had access to the decryption key for the SSE-C key) was compromised by an attacker[b] via a Plex server the employee was running. The Plex server had not been updated to cover a critical vulnerability. The attacker gained full access to the employee's machine and used a keystroke logger to obtain that engineer's master password.[1]: 19  LastPass refers to this as Incident 2.[1]: 18 
  • On 13 August 2022, LastPass hired the U.S. cybersecurity firm (and subsidiary of Google) Mandiant to help them respond to the incident.[1]: 16 
  • Between 16 and 18 August, LastPass rotated any clear text credentials or secrets that may have been accessed by the Incident 1 attacker, along with the AWS Access Keys[1]: 18 
  • On 20 August, after LastPass had rotated their keys, the attacker extracted the contents of the senior DevOps engineer's Employee Business account vault containing the keys.[1]: 18 
  • Between 20 August and 16 September 2022, the actor obtained the user database of 14 August, 2022, and several password vault backups.[1]: 19 
  • On 25 August 2022, LastPass released a statement that it had detected unusual activity in portions of its development environment and that it had "seen no evidence" of access to customer data or encrypted vaults, while reporting that source code and proprietary technical information had been taken.[4]
  • On 15 September 2022, LastPass said its investigation (with Mandiant) "revealed that the threat actor's activity was limited to a four-day period in August 2022", with "no evidence" of activity beyond the timeline and "no evidence" of access to customer data or encrypted vaults.[4] The ICO later said that LastPass had actually been "unable to determine" the extent of the issue because of a combination of anti-forensic activity by the attacker (and a scheduled OS upgrade coinciding with Incident 1).[1]: 16 [2]
  • On 15 and 22 October 2022, activity by the attacker triggered AWS GuardDuty alerts, but due to errors in the setup of the mailing list and a miscommunication between teams, the LastPass security operations centre were not made aware of the alerts until 2 November.[1]: 20 
  • On 30 November 2022, LastPass contacted the ICO with a personal data breach report.[1]: 21 
  • On 15 December 2022, AWS confirmed to LastPass that the threat actor had downloaded a copy of the Backup Database.[1]: 20 

Impact

The stolen information included: unencrypted names, email addresses, billing addresses, partial credit cards and website URLs.[1]: 27  It also included the password vaults that were encrypted with users' master passwords.[1]: 14  The Information Commissioner's Office found that over one million UK data subjects were affected.[1]: 27 

The security of each user's encrypted password vault depends on the strength of the user's master password (or whether the password had previously been leaked), and the number of rounds of encryption used. Some customer vaults were more vulnerable to decryption than others because they were older, and LastPass had increased the minimum amount of encryption rounds over time.[5][6]

In September 2023, Krebs On Security reported some stolen LastPass vaults were being successfully decrypted in offline attacks; researchers had linked thefts affecting more than 150 victims (totalling more than $35 million) and described a common factor among victims as having stored cryptocurrency "seed phrases" in LastPass. LastPass declined to answer questions about the research, citing an ongoing law-enforcement investigation and pending litigation.[7][8][9] In 2025, a larger heist of $150 million was also linked to the 2022 data theft.[8]

On 20 November 2025, the Information Commissioner's Office (ICO) issued a penalty notice to LastPass UK Ltd under section 155 of the Data Protection Act 2018, requiring it to pay £1,228,283 for infringements of Article 5(1)(f) and Article 32(1) of the UK GDPR.[1] The ICO concluded that, during the period 31 December 2021 to 31 December 2024, LastPass hadn't implemented expected technical and organisational measures, including by allowing senior employees to use "Employee Business" accounts from personal devices and by permitting "Personal" and "Employee Business" accounts to be linked under a single master password; it found that these failings contributed to the unlawful access and exfiltration of personal data relating to approximately over a million UK-based customers.[10] In announcing the enforcement action, Information Commissioner John Edwards said that "LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure".[11] The fine had been reduced by 30% to reflect the measures that LastPass had in place at the time and put into place afterwards.[1]: 79 

A class-action lawsuit was initiated in early 2023, with the anonymous plaintiff stating that LastPass failed to keep users' information safe.[12] Of particular concern in the lawsuit was the increased risk of the details being used in phishing attacks.[12] In November 2025 the parties informed the court that they had reached an agreement in principle,[13] and it was reported in February 2026 that the settlement was in the amount of $24.5 million, with $16 million of that set aside specifically for loses related to cryptocurrency.[14]

Notes

  1. ^ SSE stands for Server Side Encryption and the C denotes that it is customer held.
  2. ^ It is unknown if the whole attack was by one person, a group, or several attackers who sold each other information.

References

  1. ^ a b c d e f g h i j k l m n o p q r s t "Penalty Notice: LastPass UK Ltd" (PDF). Information Commissioner's Office. 20 November 2025. Retrieved 13 December 2025.
  2. ^ a b c d "Incident 1 – Additional details of the attack". support.lastpass.com. Retrieved 15 December 2025.
  3. ^ Toubba, Karim (1 March 2023). "Security Incident Update and Recommended Actions". The LastPass Blog. Retrieved 5 March 2023.
  4. ^ a b Toubba, Karim (22 December 2022). "12-22-2022: Notice of Security Incident". The LastPass Blog. Retrieved 13 December 2025.
  5. ^ Goodin, Dan (22 December 2022). "LastPass users: Your info and vault data is now in hackers' hands". Ars Technica. Retrieved 22 December 2022.
  6. ^ Clark, Mitchell (23 December 2022). "Hackers stole encrypted LastPass password vaults, and we're just now hearing about it". The Verge. Retrieved 20 September 2024.
  7. ^ "Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach – Krebs on Security". 9 September 2023. Retrieved 20 September 2024.
  8. ^ a b "Feds Link $150M Cyberheist to 2022 LastPass Hacks – Krebs on Security". 7 March 2025. Retrieved 8 March 2025.
  9. ^ Weatherbed, Jess (7 September 2023). "LastPass security breach linked to $35 million stolen in crypto heists". The Verge. Retrieved 8 September 2023.
  10. ^ "LastPass UK Ltd". Information Commissioner's Office. 20 November 2025. Retrieved 13 December 2025.
  11. ^ "Password manager provider fined £1.2m by ICO for data breach affecting up to 1.6 million people in the UK". Information Commissioner's Office. 11 December 2025. Retrieved 13 December 2025.
  12. ^ a b Kan, Michael (5 January 2023). "LastPass Faces Class-Action Lawsuit Over Password Vault Breach". PCMAG. Retrieved 6 January 2023.
  13. ^ "Joint Motion to Stay Deadlines Pending Settlement (John v. LastPass US LLC, No. 1:22-cv-12047-PBS)" (PDF). United States District Court for the District of Massachusetts. 4 November 2025. Retrieved 4 February 2026.
  14. ^ Brown, Christopher. "LastPass Gets Initial Nod for $24.5 Million Data Breach Deal".
This article is issued from Wikipedia. The text is available under Creative Commons Attribution-Share Alike 4.0 unless otherwise noted. Additional terms may apply for the media files.