Back

LastPass Faces £1.2M Fine and $8.2M Settlement Over 2022 Data Breach

Severity: High (Score: 67.5)

Sources: Topclassactions, www.theregister.com

Summary

LastPass has been fined £1.2 million ($1.6 million) by the UK's Information Commissioner's Office (ICO) for a data breach in 2022 that affected up to 1.6 million UK users. The breach occurred in two parts, with the first involving the compromise of a developer's MacBook, leading to the exfiltration of source code. The second incident involved a senior DevOps engineer's personal PC, exploited via CVE-2020-5741, where an attacker used a keylogger to steal access credentials. This allowed the attacker to obtain AWS access keys and decryption keys, leading to the exposure of sensitive customer information. Additionally, LastPass has agreed to an $8.2 million class action settlement to compensate affected consumers, who can claim various monetary benefits. The settlement includes payments for ordinary and extraordinary losses, with specific provisions for California residents. The deadline for claims is July 2, 2026, with a final approval hearing scheduled for July 14, 2026. Key Points: • LastPass fined £1.2 million for a 2022 data breach affecting 1.6 million users. • The breach involved exploitation of CVE-2020-5741 and compromised sensitive customer data. • LastPass agreed to an $8.2 million settlement for affected consumers with various compensation options.

Key Entities

  • Data Breach (attack_type)
  • LastPass (company)
  • United States (country)
  • CVE-2020-5741 (cve)
  • lastpasssettlement.com (domain)
  • T1021 - Remote Services (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1056.001 - Keylogging (mitre_attack)
  • MacOS (platform)
  • Plex Media Server (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed