LastPass: Difference between revisions
Converted to cite web for refs, great start though! |
m →See also: added more links to 'see also' |
||
| (13 intermediate revisions by 7 users not shown) | |||
| Line 3: | Line 3: | ||
|ArticleType=Service | |ArticleType=Service | ||
|Category=Password Managers, Browser extension, Software, Security | |Category=Password Managers, Browser extension, Software, Security | ||
|Logo=LastPass logo. | |Logo=LastPass logo.svg | ||
|Website=https://www.lastpass.com/ | |Website=https://www.lastpass.com/ | ||
|Description=LastPass is a password manager application that allows users to store passwords and notes securely using one master password. | |Description=LastPass is a password manager application that allows users to store passwords and notes securely using one master password. | ||
}} | }} | ||
'''{{Wplink|LastPass}}''' is a {{Wplink|password manager}} application that allows users to store passwords and notes securely using one master password. It was launched in 2008 and was one of the first widely adopted password managers. | |||
In 2015 LastPass was acquired by {{Wplink|GoTo (US company)|GoTo}} (formerly LogMeIn Inc) for $110 million. LastPass was later spun off into its own company being acquired by {{Wplink|private equity firm}}s Francisco Partners and Elliott Management in 2024.<ref>{{Cite web |url=https://www.lastpass.com/company/newsroom/b948ad48-3268-4c9e-8b45-0d6d02d0b4e7 |title=LastPass Completes Journey to Become an Independent Company with Enhanced Cybersecurity Focus and Executive Leadership Team |date=1 May 2024 |website=LastPass |access-date=2 Nov 2025 |archive-url=http://web.archive.org/web/20260211035211/https://www.lastpass.com/company/newsroom/b948ad48-3268-4c9e-8b45-0d6d02d0b4e7 |archive-date=11 Feb 2026}}</ref> | |||
LastPass | |||
LastPass has suffered a number of security incidents over the years with the most severe being the 2022 data breach which saw encrypted customer passwords and secret notes get exposed. Despite the most sensitive information being encrypted, the vault can be decrypted and was allegedly used in the theft of $35 million in cryptocurrency from 150 victims. In 2025 an even larger theft of $150 million was traced back to the data breach.<ref>{{Cite web|url=https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks |title=Feds Link $150 Million CyberHeist to 2022 LastPass Hacks |date=7 Mar 2025 |website=KrebsonSecurity |access-date=2 Nov 2025 |archive-url=http://web.archive.org/web/20260221112713/https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks/ |archive-date=21 Feb 2026}}</ref> | |||
LastPass | ==Consumer impact summary== | ||
{{Ph-C-CIS}} | |||
*'''User privacy:''' LastPass, being a password manager, stores and transmits highly sensitive information (passwords and secure notes). LastPass relies on its users trusting it to safely handle this information and have it be accessible. | |||
*'''User freedom:''' Use of a [[subscription service]] for more device types allows LastPass to restrict where users can view their passwords. | |||
==Incidents== | ==Incidents== | ||
===2022 | ===Free tier device type restrictions (''2021'')=== | ||
In August 2022 and November 2022 LastPass suffered a data breach involving a backup copy of a customer database and customer password vaults. The attackers used a compromised developer account to access source code which contained credentials to the aforementioned backup database. The stolen data included encrypted | {{See also|Post-purchase EULA modification}} | ||
On February 16, 2021 LastPass changed its free tier to restrict users to only one device type. After March 16, 2021, if a user was using LastPass on their computer, they would not be able to view their LastPass vault on mobile without paying for premium. These restrictions locked a large number of LastPass's userbase out of their passwords.<ref>{{Cite web|title=Changes to LastPass free tier|url=https://blog.lastpass.com/posts/changes-to-lastpass-free|date=2021-02-16|work=LastPass Blog|access-date=2025-11-02 |archive-url=http://web.archive.org/web/20260217211201/https://blog.lastpass.com/posts/changes-to-lastpass-free |archive-date=17 Feb 2026}}</ref> | |||
===Data breach (''2022'')=== | |||
In August 2022 and November 2022, LastPass suffered a data breach involving a backup copy of a customer database and customer password vaults. The attackers used a compromised developer account to access source code which contained credentials to the aforementioned backup database. The stolen data included encrypted user names, passwords and secure notes. It was also discovered that URLs, IP addresses, phone numbers and some emails were unencrypted.<ref>{{Cite web |url=https://securityscorecard.com/blog/what-did-the-lastpass-breach-reveal-about-password-manager-security |title=What did the lastpass breach reveal about password manager security? |date=13 Jun 2025 |website=SecurityScorecard |author=Learning Center |access-date=2 Nov 2025 |archive-url=http://web.archive.org/web/20260108033555/https://securityscorecard.com/blog/what-did-the-lastpass-breach-reveal-about-password-manager-security/ |archive-date=8 Jan 2026}}</ref> | |||
====Aftermath==== | |||
=====ICO fine===== | |||
In December 2025, the {{Wplink|Information Commissioner's Office |ICO}} announced that it had fined LastPass UK Ltd £1.2 million based on their findings following the data breach. They concluded that ''"LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database."'' The ICO also added that there was ''"no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass."''<ref>{{Cite web |date=11 Dec 2025 |title=Password manager provider fined £1.2m by ICO for data breach |author=ICO |url=https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/12/password-manager-provider-fined/ |url-status=live |website=ico.org.uk |archive-url=https://web.archive.org/web/20260613214400/https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/12/password-manager-provider-fined/ |archive-date=13 Jun 2026 |access-date=23 Jun 2026}}</ref> | |||
=====Stolen cryptocurrency and settlement===== | |||
Also in December 2025, [https://www.trmlabs.com/ TRM] reported that their analysts had been able to ''"trace the stolen funds through mixers and ultimately to two high-risk Russian exchanges frequently used by cybercriminals as fiat off-ramps — with one of them receiving LastPass-linked funds as recently as October."'' This was reportedly the result of analyzing clusters of wallet drains that occurred after the breach, with waves of them surfacing as late as 2024 and 2025.<ref>{{Cite web |author=TRM Team |title=TRM Traces Stolen Crypto from 2022 LastPass Breach — On-chain Indicators Suggest Russian Cybercriminal Involvement |date=24 Dec 2025 |url=https://www.trmlabs.com/resources/blog/trm-traces-stolen-crypto-from-2022-lastpass-breach-on-chain-indicators-suggest-russian-cybercriminal-involvement |url-status=live |website=trmlabs.com |archive-url=https://web.archive.org/web/20260604104239/https://www.trmlabs.com/resources/blog/trm-traces-stolen-crypto-from-2022-lastpass-breach-on-chain-indicators-suggest-russian-cybercriminal-involvement |archive-date=4 Jun 2026 |access-date=23 Jun 2026}}</ref><ref>{{Cite web |title=Stolen LastPass backups enable crypto theft through 2025 |date=28 Dec 2025 |first=Pierluigi |last=Paganini |url=https://securityaffairs.com/186191/digital-id/stolen-lastpass-backups-enable-crypto-theft-through-2025.html |url-status=live |website=securityaffairs.com |archive-url=https://web.archive.org/web/20260611133236/https://securityaffairs.com/186191/digital-id/stolen-lastpass-backups-enable-crypto-theft-through-2025.html |archive-date=11 Jun 2026 |access-date=23 Jun 2026}}</ref> | |||
After multiple class action lawsuits were consolidated into a single lawsuit in Massachusetts, LastPass settled but admitted no misconduct. A representative of theirs stated: | |||
<blockquote>''"While we continue to deny the alleged claims, we have agreed to a settlement to avoid the ongoing distraction and uncertainty of protracted litigation. Our focus remains on serving our customers, and over the last three years we have made substantial investments across our people, processes and technology, so that we can continue to build and keep trust in LastPass."''<ref>{{Cite web |first=Alaina |last=Yee |date=1 Apr 2026 |title=The LastPass breach settlement is real. Here’s what you should know |url=https://www.pcworld.com/article/3102935/the-lastpass-breach-settlement-is-real-heres-what-you-should-know.html |url-status=live |website=pcworld.com |archive-url=https://web.archive.org/web/20260519185841/https://www.pcworld.com/article/3102935/the-lastpass-breach-settlement-is-real-heres-what-you-should-know.html |archive-date=19 May 2026 |access-date=23 Jun 2026}}</ref></blockquote> | |||
==='create backup' phishing campaign (''2026'')=== | |||
On or around January 19th 2026, phishing emails were sent out from multiple email and ip addresses. The emails claimed that maintenance was to be conducted and that LastPass users needed to backup their vaults within 24 hours. They also contained links which took users to a website which allowed them to perform vault "backups." LastPass seems to have detected this relatively quickly as a threat intel blog post was already published on their website by January 20th.<ref>{{Cite web |title=New Phishing Campaign Targeting LastPass Customers |author=Threat Intelligence, Mitigation, and Escalation (TIME) team |date=20 Jan 2026 |url=https://blog.lastpass.com/posts/new-phishing-campaign-targeting-lastpass-customers |url-status=live |website=blog.lastpass.com |archive-url=https://web.archive.org/web/20260212173304/https://blog.lastpass.com/posts/new-phishing-campaign-targeting-lastpass-customers |archive-date=12 Feb 2026 |access-date=23 Jun 2026}}</ref><ref>{{Cite web |first=Vlad |last=Constantinescu |date=22 Jan 2026 |title=LastPass ‘create backup’ email is a phishing scam targeting your master password |url=https://www.bitdefender.com/en-us/blog/hotforsecurity/lastpass-create-backup-email-is-a-phishing-scam-targeting-your-master-password |url-status=live |website=bitdefender |archive-url=https://web.archive.org/web/20260217135934/https://www.bitdefender.com/en-us/blog/hotforsecurity/lastpass-create-backup-email-is-a-phishing-scam-targeting-your-master-password |archive-date=17 Feb 2026 |access-date=23 Jun 2026}}</ref> | |||
==See also== | ==See also== | ||
*[[Data lock-in]] | |||
*[[1Password]] | |||
*[[Bitwarden]] | |||
*[[NordVPN]] | |||
==References== | ==References== | ||
{{Reflist}} | |||
[[Category:{{PAGENAME}}]] | [[Category:{{PAGENAME}}]] | ||
Latest revision as of 07:47, 28 June 2026
LastPass
| Basic Information | |
|---|---|
| Release Year | 2008 |
| Product Type | Password Managers, Browser extension, Software, Security |
| In Production | |
| Official Website | https://www.lastpass.com/ |
LastPass is a password manager application that allows users to store passwords and notes securely using one master password. It was launched in 2008 and was one of the first widely adopted password managers.
In 2015 LastPass was acquired by GoTo (formerly LogMeIn Inc) for $110 million. LastPass was later spun off into its own company being acquired by private equity firms Francisco Partners and Elliott Management in 2024.[1]
LastPass has suffered a number of security incidents over the years with the most severe being the 2022 data breach which saw encrypted customer passwords and secret notes get exposed. Despite the most sensitive information being encrypted, the vault can be decrypted and was allegedly used in the theft of $35 million in cryptocurrency from 150 victims. In 2025 an even larger theft of $150 million was traced back to the data breach.[2]
Consumer impact summary
[edit | edit source]
- User privacy: LastPass, being a password manager, stores and transmits highly sensitive information (passwords and secure notes). LastPass relies on its users trusting it to safely handle this information and have it be accessible.
- User freedom: Use of a subscription service for more device types allows LastPass to restrict where users can view their passwords.
Incidents
[edit | edit source]Free tier device type restrictions (2021)
[edit | edit source]On February 16, 2021 LastPass changed its free tier to restrict users to only one device type. After March 16, 2021, if a user was using LastPass on their computer, they would not be able to view their LastPass vault on mobile without paying for premium. These restrictions locked a large number of LastPass's userbase out of their passwords.[3]
Data breach (2022)
[edit | edit source]In August 2022 and November 2022, LastPass suffered a data breach involving a backup copy of a customer database and customer password vaults. The attackers used a compromised developer account to access source code which contained credentials to the aforementioned backup database. The stolen data included encrypted user names, passwords and secure notes. It was also discovered that URLs, IP addresses, phone numbers and some emails were unencrypted.[4]
Aftermath
[edit | edit source]ICO fine
[edit | edit source]In December 2025, the ICO announced that it had fined LastPass UK Ltd £1.2 million based on their findings following the data breach. They concluded that "LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database." The ICO also added that there was "no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass."[5]
Stolen cryptocurrency and settlement
[edit | edit source]Also in December 2025, TRM reported that their analysts had been able to "trace the stolen funds through mixers and ultimately to two high-risk Russian exchanges frequently used by cybercriminals as fiat off-ramps — with one of them receiving LastPass-linked funds as recently as October." This was reportedly the result of analyzing clusters of wallet drains that occurred after the breach, with waves of them surfacing as late as 2024 and 2025.[6][7]
After multiple class action lawsuits were consolidated into a single lawsuit in Massachusetts, LastPass settled but admitted no misconduct. A representative of theirs stated:
"While we continue to deny the alleged claims, we have agreed to a settlement to avoid the ongoing distraction and uncertainty of protracted litigation. Our focus remains on serving our customers, and over the last three years we have made substantial investments across our people, processes and technology, so that we can continue to build and keep trust in LastPass."[8]
'create backup' phishing campaign (2026)
[edit | edit source]On or around January 19th 2026, phishing emails were sent out from multiple email and ip addresses. The emails claimed that maintenance was to be conducted and that LastPass users needed to backup their vaults within 24 hours. They also contained links which took users to a website which allowed them to perform vault "backups." LastPass seems to have detected this relatively quickly as a threat intel blog post was already published on their website by January 20th.[9][10]
See also
[edit | edit source]References
[edit | edit source]- ↑ "LastPass Completes Journey to Become an Independent Company with Enhanced Cybersecurity Focus and Executive Leadership Team". LastPass. 1 May 2024. Archived from the original on 11 Feb 2026. Retrieved 2 Nov 2025.
- ↑ "Feds Link $150 Million CyberHeist to 2022 LastPass Hacks". KrebsonSecurity. 7 Mar 2025. Archived from the original on 21 Feb 2026. Retrieved 2 Nov 2025.
- ↑ "Changes to LastPass free tier". LastPass Blog. 2021-02-16. Archived from the original on 17 Feb 2026. Retrieved 2025-11-02.
- ↑ Learning Center (13 Jun 2025). "What did the lastpass breach reveal about password manager security?". SecurityScorecard. Archived from the original on 8 Jan 2026. Retrieved 2 Nov 2025.
- ↑ ICO (11 Dec 2025). "Password manager provider fined £1.2m by ICO for data breach". ico.org.uk. Archived from the original on 13 Jun 2026. Retrieved 23 Jun 2026.
- ↑ TRM Team (24 Dec 2025). "TRM Traces Stolen Crypto from 2022 LastPass Breach — On-chain Indicators Suggest Russian Cybercriminal Involvement". trmlabs.com. Archived from the original on 4 Jun 2026. Retrieved 23 Jun 2026.
- ↑ Paganini, Pierluigi (28 Dec 2025). "Stolen LastPass backups enable crypto theft through 2025". securityaffairs.com. Archived from the original on 11 Jun 2026. Retrieved 23 Jun 2026.
- ↑ Yee, Alaina (1 Apr 2026). "The LastPass breach settlement is real. Here's what you should know". pcworld.com. Archived from the original on 19 May 2026. Retrieved 23 Jun 2026.
- ↑ Threat Intelligence, Mitigation, and Escalation (TIME) team (20 Jan 2026). "New Phishing Campaign Targeting LastPass Customers". blog.lastpass.com. Archived from the original on 12 Feb 2026. Retrieved 23 Jun 2026.
{{cite web}}: CS1 maint: multiple names: authors list (link) - ↑ Constantinescu, Vlad (22 Jan 2026). "LastPass 'create backup' email is a phishing scam targeting your master password". bitdefender. Archived from the original on 17 Feb 2026. Retrieved 23 Jun 2026.