LastPass 2022 data breach

The LastPass 2022 data breach refers to two related security incidents disclosed by the password manager LastPass in 2022. In the first incident, an attacker accessed parts of LastPass’s development environment and exfiltrated source code repositories and technical documentation, including an encrypted copy of the key used to protect backups of customer data stored in Amazon S3.

In a second incident, a senior DevOps engineer’s personal computer was compromised, and the attacker used a keystroke logger to obtain the employee’s credentials and access an internal vault holding further keys. According to the UK Information Commissioner's Office (ICO), this enabled access to and exfiltration of a backup database and copies of some customers’ password vault data, which included both unencrypted fields (such as some website URLs) and encrypted fields (such as usernames and passwords).

The incidents led to significant downstream risk because stolen vault backups can be subjected to offline cracking attempts, with the likelihood of compromise depending on factors such as users’ master-password strength and encryption settings (including iteration counts). The breach prompted litigation and regulatory scrutiny, including a monetary penalty issued by the ICO in November 2025 against LastPass UK Ltd for failures to implement appropriate technical and organisational measures affecting over one million UK data subjects.

Background

LastPass stores users’ credentials in encrypted “vaults”. At the time of the incidents, LastPass operated its production environment in physical data centres and used Amazon S3 "buckets" for backup storage; it secured those backups using server-side encryption with a SSE-C key^[a], the SSE-C key was always encrypted when not in use and only four people at LastPass were able to decrypt the key itself.^[1]: 15

During the relevant period, LastPass permitted employees to link “Personal” and “Employee Business” LastPass accounts under a single master password.^[1]: 15

Attack Timeline

• Between the 8th and 11th August^[2] 2022, an attacker compromised the laptop of a Software Developer at LastPass and exfiltrated 14 out of approximately 200 LastPass source code repositories^[1]: 16 along with technical documentation and an encrypted version of the SSE-C key^[2] that secured the backups of LastPass's production database inside AWS 53 buckets.^[1]: 15 However, the attacker would not have been able to decrypt the key. LastPass refers to this as Incident 1.^[2]
• On the 11th August 2022, an AWS GuardDuty alert was triggered and sent to the LastPass Security operations centre.^[1]: 15
• On 12 August 2022, the personal computer of a separate LastPass employee (a senior DevOps engineer^[3], who was one of the four people who had access to the decryption key for the SSE-C key) was compromised by an attacker ^[b] via a Plex server the employee was running. The Plex server had not been updated to cover a critical vulnerability. The attacker gained full access to the employee's machine and used a keystroke logger to obtain that engineer's master password.^[1]: 19 LastPass refers to this as Incident 2.^[1]: 18
• Between the 12th and the 18th August, LastPass rotated any clear text credentials or secrets that may have been accessed by the Incident 1 attacker, along with the AWS Access Keys^[1]: 18
• On 13 August 2022, LastPass engaged Mandiant to assist with the incident response.^[1]: 16
• On 20 August, after LastPass had rotated their keys, the attacker extracted the contents of the senior DevOps engineer's Employee Business account vault containing the keys.^[1]: 18
• Between August 20 and September 16, 2022, the actor obtained the user database of August 14, 2022, and several password vault backups.^[1]: 19
• On 25 August 2022, LastPass released a statement that it had detected unusual activity in portions of its development environment and that it had “seen no evidence” of access to customer data or encrypted vaults, while reporting that source code and proprietary technical information had been taken.^[4]

• On 15 September 2022, LastPass said its investigation (with Mandiant) "revealed that the threat actor’s activity was limited to a four-day period in August 2022.", with “no evidence” of activity beyond the timeline and “no evidence” of access to customer data or encrypted vaults.^[4] The ICO later said that, due to anti-forensic activity (and a scheduled OS upgrade coinciding with Incident 1), LastPass’ investigation was unable to determine the full extent of the threat actor's activity.^{[1]: 16 [2]}
• On 15 and 22 October 2022, activity by the attacker triggered AWS GuardDuty alerts, however due to errors in the setup of the mailing list, and a miscommunication between teams, the LastPass Security operations centre were not maide away of the alerts until 2 November.^[1]: 20
• On 30 November 2022, LastPass submitted a personal data breach report to the ICO.^[1]: 21
• On 15 December 2022, AWS confirmed to LastPass that the threat actor had exfiltrated a copy of the Backup Database^[1]: 20

Impact

The stolen information included: decrypted names, email addresses, billing addresses, partial credit cards and website URLs^[1]: 27, and the number of rounds of encryption used for the user's password vault.^[5] It also included the password vaults that were encrypted with users' master passwords.^[1] The Information Commissioner's Office found that over one million UK data subjects were affected.^[1]: 27

The security of each user's encrypted password vault depends on the strength of the user's master password (or whether the password had previously been leaked), and the number of rounds of encryption used. Some customer vaults were more vulnerable to decryption than others because they were older, and LastPass had increased the minimum amount of encryption rounds over time.^[6][7]

In September 2023, Krebs On Security reported some stolen LastPass vaults were being successfully decrypted in offline attacks; researchers had linked thefts affecting more than 150 victims (totalling more than $35 million) and described a common factor among victims as having stored cryptocurrency “seed phrases” in LastPass. LastPass declined to answer questions about the research, citing an ongoing law-enforcement investigation and pending litigation.^[8][9][10] In 2025, a larger heist of $150 million was also linked to the 2022 data theft.^[9]

Legal consequences

A class-action lawsuit was initiated in early 2023, with the anonymous plaintiff stating that LastPass failed to keep users' information safe.^[11] Of particular concern in the lawsuit was the increased risk of the details being used in phishing attacks.^[11]

On 20 November 2025, the Information Commissioner's Office (ICO) issued a penalty notice to LastPass UK Ltd under section 155 of the Data Protection Act 2018, requiring it to pay £1,228,283 for infringements of Article 5(1)(f) and Article 32(1) of the UK GDPR.^[1] The ICO concluded that, during the period 31 December 2021 to 31 December 2024, LastPass had failed to implement appropriate technical and organisational measures, including by allowing senior employees to access "Employee Business" accounts from personal devices and by permitting "Personal" and "Employee Business" accounts to be linked under a single master password; it found that these failings contributed to the unlawful access and exfiltration of personal data relating to approximately over a million UK-based customers.^[12] In announcing the enforcement action, Information Commissioner John Edwards said that "LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure".^[13]. The fine was reduced by 30% to reflect the measures that LastPass had in place at the time and put into place afterwards.^[1]: 79

Notes

1. SSE stands for Server Side Encryption and the C denotes that it is customer held.
2. It is unknown if the whole attack was by one person, a group, or several attackers who sold each other information.