CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

UK ICO fines LastPass £1.2 million for 2022 data breach affecting 1.6 million users

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

The UK Information Commissioner's Office (ICO) fined LastPass £1.2 million for security failures that led to a 2022 breach impacting up to 1.6 million UK users. The breach involved two interconnected incidents starting in August 2022, where an attacker stole personal information and encrypted password vaults. The ICO found that LastPass failed to implement adequate security measures to prevent the breach. The attacker initially compromised a LastPass employee's laptop, gaining access to the company's development environment. The following day, the attacker targeted a senior employee by exploiting a vulnerability in a third-party streaming application, capturing the employee's master password and bypassing multi-factor authentication. This allowed the attacker to steal an Amazon Web Services access key and a decryption key, which were used to breach the cloud storage firm GoTo and steal LastPass database backups. The stolen data included encrypted password vaults, names, email addresses, phone numbers, and website URLs associated with customer accounts. The ICO emphasized that while LastPass' Zero Knowledge architecture prevented the decryption of customer password vaults, the company failed to meet its obligation to protect customer data. The breach has enabled bad actors to take advantage of weak master passwords to crack the encrypted vaults and drain cryptocurrency assets as recently as late 2025. Evidence points to the involvement of Russian cybercriminal actors, with one of the Russian exchanges receiving LastPass-linked funds as recently as October. More $35 million in siphoned digital assets have been traced, out of which $28 million was converted to Bitcoin and laundered via Wasabi Wallet between late 2024 and early 2025. Another $7 million has been linked to a subsequent wave detected in September 2025.

Timeline

  1. 25.12.2025 14:46 1 articles · 23h ago

    Russian actors exploit 2022 LastPass breach to drain cryptocurrency assets

    The encrypted vault backups stolen from the 2022 LastPass data breach have enabled bad actors to take advantage of weak master passwords to crack them open and drain cryptocurrency assets as recently as late 2025. Evidence points to the involvement of Russian cybercriminal actors, with one of the Russian exchanges receiving LastPass-linked funds as recently as October. More $35 million in siphoned digital assets have been traced, out of which $28 million was converted to Bitcoin and laundered via Wasabi Wallet between late 2024 and early 2025. Another $7 million has been linked to a subsequent wave detected in September 2025. The stolen funds have been routed through Cryptomixer.io and off-ramped via Cryptex and Audia6, two Russian exchanges associated with illicit activity.

    Show sources
    Open in new tab
  2. 11.12.2025 19:09 3 articles · 14d ago

    UK ICO fines LastPass £1.2 million for 2022 data breach affecting 1.6 million users

    The UK Information Commissioner's Office (ICO) fined LastPass £1.2 million for security failures that led to a 2022 breach impacting up to 1.6 million UK users. The breach involved two interconnected incidents starting in August 2022, where an attacker stole personal information and encrypted password vaults. The ICO found that LastPass failed to implement adequate security measures to prevent the breach. The attacker initially compromised a LastPass employee's laptop, gaining access to the company's development environment. The following day, the attacker targeted a senior employee by exploiting a vulnerability in a third-party streaming application, capturing the employee's master password and bypassing multi-factor authentication. This allowed the attacker to steal an Amazon Web Services access key and a decryption key, which were used to breach the cloud storage firm GoTo and steal LastPass database backups. The stolen data included encrypted password vaults, names, email addresses, phone numbers, and website URLs associated with customer accounts. The ICO emphasized that while LastPass' Zero Knowledge architecture prevented the decryption of customer password vaults, the company failed to meet its obligation to protect customer data. The breach has enabled bad actors to take advantage of weak master passwords to crack the encrypted vaults and drain cryptocurrency assets as recently as late 2025. Evidence points to the involvement of Russian cybercriminal actors, with one of the Russian exchanges receiving LastPass-linked funds as recently as October. More $35 million in siphoned digital assets have been traced, out of which $28 million was converted to Bitcoin and laundered via Wasabi Wallet between late 2024 and early 2025. Another $7 million has been linked to a subsequent wave detected in September 2025.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

US Seizes E-Note Crypto Exchange for Ransomware Laundering

The U.S. Department of Justice, led by the FBI and collaborating with international partners, has seized the E-Note cryptocurrency exchange for allegedly laundering over $70 million in ransomware and account takeover proceeds. The operation involved confiscating domains, servers, and customer databases, with an indictment unsealed against the Russian national Mykhalio Petrovich Chudnovets, believed to be the operator of E-Note. Chudnovets targeted US healthcare and critical infrastructure sectors through his money laundering services, which he began offering in 2010. This action may lead to further identification of cybercriminals involved in the laundering scheme.

Open in new tab

Sensitive Data Exposed via Publicly Accessible Code-Formatting Tools

Over 80,000 JSON snippets containing sensitive credentials, authentication keys, and configuration data from organizations in critical sectors were exposed through the Recent Links feature of JSONFormatter and CodeBeautify. The data, totaling over 5GB, included Active Directory credentials, database and cloud credentials, private keys, CI/CD secrets, payment gateway keys, API tokens, SSH session recordings, and personally identifiable information (PII). Researchers found that threat actors actively scanned and accessed this exposed data, with some organizations failing to remediate the issue. The exposed data impacted sectors such as government, banking, healthcare, and cybersecurity, with some credentials linked to major financial exchanges and managed security service providers (MSSPs). The Recent Links feature, which lacks access controls, allows anyone to scrape the data using predictable URLs. Researchers also set up a honeypot to confirm that threat actors were actively scanning for sensitive information, with access attempts recorded even after the links had expired. Both JSONFormatter and CodeBeautify have temporarily disabled the save functionality in response to the research, claiming they are working on enhanced NSFW content prevention measures.

Open in new tab

Crypto Laundering Scheme Involving $230M Heist Uncovered

A 45-year-old California man, Kunal Mehta, has pleaded guilty to laundering at least $25 million stolen in a $230 million cryptocurrency heist. The scheme involved a large group that used social engineering to access victims' accounts between October 2023 and March 2025. The group, which included members from various states and abroad, was involved in organizing, hacking, and stealing funds. Mehta served as a money launderer, creating shell companies to launder funds through bank accounts. The stolen cryptocurrency was used to finance lavish lifestyles, including luxury cars and international travel. The FBI has emphasized the importance of being vigilant against online scams.

Open in new tab

Credential Compromise Lifecycle and Enterprise Risks

Enterprise credentials are frequently compromised through phishing, brute force attacks, third-party breaches, and exposed API keys. Hackers aggregate and monetize these credentials, selling them on underground markets. Once purchased, these credentials are used for account takeovers, lateral movement, data theft, resource abuse, and ransomware deployment, causing significant financial and reputational damage to organizations. The credential compromise lifecycle involves users creating credentials, hackers compromising them, aggregating and monetizing them, distributing and weaponizing them, and finally exploiting them for various malicious activities. Common vectors include phishing campaigns, credential stuffing, third-party breaches, and leaked API keys. The criminal ecosystem consists of opportunistic fraudsters, automated botnets, criminal marketplaces, and organized crime groups, each with different motivations and methods. The real-world impact of credential compromise includes account takeover, lateral movement, data theft, resource abuse, and ransomware deployment, leading to regulatory fines, lawsuits, remediation costs, and long-term reputational damage.

Open in new tab

International Law Enforcement Dismantles Credit Card Fraud Networks

International authorities have dismantled three large-scale credit card fraud and money laundering networks in Operation Chargeback. The operation targeted 44 suspects, including American, Austrian, Canadian, Danish, Dutch, German, and Lithuanian nationals, and resulted in the arrest of 18 individuals. The fraud networks affected over 4.3 million cardholders across 193 countries, causing losses exceeding €300 million. The operation involved over 60 searches and the execution of 18 arrest warrants. The fraudsters created over 19 million fake online subscriptions for services like pornography, dating, and streaming. They disguised monthly charges of about €50 to avoid detection. The operation was led by the Cybercrime Department of the General Prosecutor’s Office in Koblenz and the German Federal Criminal Police Office, supported by Europol and Eurojust. Authorities seized assets worth over €35 million, including luxury vehicles, cryptocurrency, and electronic devices. The suspects face accusations of organized computer fraud, membership in a criminal group, and money laundering. The fraudsters abused four major German payment service providers to launder proceeds, with six employees allegedly helping the fraudsters in exchange for fees. The suspects concealed their activities through numerous shell companies obtained through crime-as-a-service providers, primarily registered in the UK and Cyprus. The estimated attempted damages from the fraud schemes surpass €750 million (~$865 million).

Open in new tab