LastPass Faces £1.2M Fine and $8.2M Settlement Over 2022 Data Breach

LastPass Faces £1.2M Fine and $8.2M Settlement Over 2022 Data Breach

First seen 11 Apr 2026, 09:09 UTC Topclassactionswww.theregister.com 83% similarity 67.5

Article Content

Browse articles
ThreatCluster

LastPass has been fined £1.2 million ($1.6 million) by the UK's Information Commissioner's Office (ICO) for a data breach in 2022 that affected up to 1.6 million UK users. The breach occurred in two parts, with the first involving the compromise of a developer's MacBook, leading to the exfiltration of source code. The second incident involved a senior DevOps engineer's personal PC, exploited via CVE-2020-5741, where an attacker used a keylogger to steal access credentials. This allowed the attacker to obtain AWS access keys and decryption keys, leading to the exposure of sensitive customer information. Additionally, LastPass has agreed to an $8.2 million class action settlement to compensate affected consumers, who can claim various monetary benefits. The settlement includes payments for ordinary and extraordinary losses, with specific provisions for California residents. The deadline for claims is July 2, 2026, with a final approval hearing scheduled for July 14, 2026.

Key Points: • LastPass fined £1.2 million for a 2022 data breach affecting 1.6 million users. • The breach involved exploitation of CVE-2020-5741 and compromised sensitive customer data. • LastPass agreed to an $8.2 million settlement for affected consumers with various compensation options.

ThreatCluster AI

Timeline

2022-08-11
First security incident involving a developer's MacBook.
2022-08-12
Second incident involving a senior DevOps engineer's PC.
2023-03-10
CVE-2020-5741 added to CISA KEV for active exploitation.
2026-04-08
LastPass agrees to $8.2 million class action settlement.
2026-04-11
LastPass fined £1.2 million by ICO.

Community

Browse all →