Back

Canadians Urged to Claim Settlement in LastPass Data Breach

Severity: Medium (Score: 42.9)

Sources: Dailyhive, www.newswire.ca

Published: 2026-06-01 · Updated: 2026-06-01

Keywords: settlement, action, canadians, lastpass, class, notice, deadline

Severity indicators: ot

Summary

A class-action lawsuit settlement of USD $3 million has been approved for Canadians affected by the LastPass data breach that occurred in 2022. The breach involved unauthorized access to user accounts, with over 1.1 million accounts in Canada, of which approximately 218,087 contained no user data. The breach was attributed to stolen credentials from a senior employee. Eligible Canadians must submit a claim by June 23, 2026, to receive compensation, which could be up to $500. The lawsuit, filed by Karan Keswani, alleges negligence on the part of LastPass for failing to protect user information adequately. The settlement covers all legal fees and is not an admission of liability by the defendants. Affected individuals are encouraged to act promptly to secure their claims. Key Points: • Settlement of USD $3 million approved for LastPass data breach victims in Canada. • Over 1.1 million Canadian accounts were affected, with unauthorized access to sensitive information. • Eligible claimants must submit forms by June 23, 2026, to receive compensation.

Detailed Analysis

**Impact** Approximately 1,102,688 LastPass user accounts in Canada were affected by the 2022 data breach, with at least 884,601 accounts containing user data. The breach exposed both encrypted and unencrypted sensitive information, including usernames and passwords. The incident prompted a class-action lawsuit resulting in a US$3 million settlement covering all legal and administrative costs. The affected parties span Canadian consumers relying on LastPass for password management, with potential implications for personal and business credential security. **Technical Details** The breach occurred through credential theft from a senior LastPass employee by an unknown threat actor in 2022. The attacker gained unauthorized access to LastPass systems, extracting both encrypted and unencrypted user data. No specific malware, CVEs, or infrastructure details were disclosed in the articles. The attack corresponds to initial access and data exfiltration stages of the kill chain. **Recommended Response** Organizations and individuals should ensure multi-factor authentication is enabled on password management accounts and review all stored credentials for unauthorized access or suspicious activity. Users should change passwords for critical accounts, especially if reused elsewhere. Security teams should monitor for unusual access patterns related to LastPass accounts and educate users on phishing and credential theft risks. No specific patches or IOCs were provided for direct technical mitigation.

Source articles (2)

  • Deadline nears for Canadians to claim up to $500 in $4M data breach settlement — Dailyhive · 2026-06-01
    Canadians could receive up to hundreds of dollars from a class-action lawsuit settlement, but the deadline to file a claim is quickly approaching. Eligible Canadians affected by the LastPass data secu…
  • Lastpass Canadian Consumer Privacy Class Action Notice Of Settlement Approval 819632323 — www.newswire.ca · 2026-06-01
    Please read this notice carefully. A settlement may affect your legal rights. You may have to take prompt action. TORONTO , March 25, 2026 /CNW/ - On February 8, 2023, a class action was filed in the…

Timeline

  • 2022-08-01 — LastPass data breach reported: LastPass disclosed a data breach involving unauthorized access to user accounts due to stolen credentials.
  • 2023-02-08 — Class action filed: A class action lawsuit was filed in the Supreme Court of British Columbia on behalf of affected Canadians.
  • 2026-02-18 — Settlement approved: The court approved a settlement of USD $3 million for the class action lawsuit against LastPass.
  • 2026-06-01 — Claim submission deadline approaching: Eligible Canadians must submit claims by June 23, 2026, to receive compensation from the settlement.

Related entities

  • Data Breach (Attack Type)
  • LastPass (Company)
  • LastPass Technologies Canada ULC (Company)
  • LastPass US LP (Company)
  • Canada (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • T1078 - Valid Accounts (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed