LastPass: Difference between revisions

(One intermediate revision by one other user not shown)

Line 8:

}}

'''LastPass''' is a password manager application that allows users to store passwords and notes securely using one master password. It was launched in 2008 and was one of the first widely adopted password managers.

'''[[wikipedia:LastPass|LastPass]]''' is a [[wikipedia:Password_manager|password manager]] application that allows users to store passwords and notes securely using one master password. It was launched in 2008 and was one of the first widely adopted password managers.

In 2015 LastPass was acquired by GoTo (formerly LogMeIn Inc) for $110 million. LastPass was later spun off into it's own company being acquired by private equity firms Francisco Partners and Elliott Management in 2024.<ref>{{Cite web|url=https://www.lastpass.com/company/newsroom/b948ad48-3268-4c9e-8b45-0d6d02d0b4e7|title=LastPass Completes Journey to Become an Independent Company with Enhanced Cybersecurity Focus and Executive Leadership Team |date=2024-05-01|work=LastPass Newsroom|access-date=2025-11-02}}</ref>

In 2015 LastPass was acquired by [[wikipedia:GoTo_(US_company)|GoTo]] (formerly LogMeIn Inc) for $110 million. LastPass was later spun off into it's own company being acquired by [[wikipedia:Private_equity_firm|private equity firms]] Francisco Partners and Elliott Management in 2024.<ref>{{Cite web|url=https://www.lastpass.com/company/newsroom/b948ad48-3268-4c9e-8b45-0d6d02d0b4e7|title=LastPass Completes Journey to Become an Independent Company with Enhanced Cybersecurity Focus and Executive Leadership Team |date=2024-05-01|work=LastPass Newsroom|access-date=2025-11-02 |archive-url=http://web.archive.org/web/20260211035211/https://www.lastpass.com/company/newsroom/b948ad48-3268-4c9e-8b45-0d6d02d0b4e7 |archive-date=11 Feb 2026}}</ref>

==Consumer-impact summary==

LastPass, being a password manager, stores and transmits highly sensitive information (passwords and secure notes). LastPass relies on ~~it's~~ users trusting it to safely handle this information and have it be accessible.

LastPass, being a password manager, stores and transmits highly sensitive information (passwords and secure notes). LastPass relies on its users trusting it to safely handle this information and have it be accessible.

Use of a subscription service for more device types allows LastPass to restrict where users can view their passwords.

Use of a [[subscription service]] for more device types allows LastPass to restrict where users can view their passwords.

LastPass has suffered a number of security incidents over the years with the most severe being the 2022 data breach which saw encrypted customer passwords and secret notes get exposed. Despite the most sensitive information being encrypted, the vault can be decrypted and was allegedly used in the theft of $35 million in cryptocurrency from 150 victims. In 2025 an even larger theft of $150 million was traced back to the data breach.<ref>{{Cite web|url=https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks|title=Feds Link $150 Million CyberHeist to 2022 LastPass Hacks|date=2025-03-07|work=KrebsonSecurity|access-date=2025-11-02}}</ref>

LastPass has suffered a number of security incidents over the years with the most severe being the 2022 data breach which saw encrypted customer passwords and secret notes get exposed. Despite the most sensitive information being encrypted, the vault can be decrypted and was allegedly used in the theft of $35 million in cryptocurrency from 150 victims. In 2025 an even larger theft of $150 million was traced back to the data breach.<ref>{{Cite web|url=https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks|title=Feds Link $150 Million CyberHeist to 2022 LastPass Hacks|date=2025-03-07|work=KrebsonSecurity|access-date=2025-11-02 |archive-url=http://web.archive.org/web/20260221112713/https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks/ |archive-date=21 Feb 2026}}</ref>

==Incidents==

===Free Tier Device Type Restrictions===

On February 16, 2021 LastPass changed it's free tier to restrict users to only one device type. After March 16, 2021 If a user was using LastPass on their ~~Computer~~ they would not be able to view their LastPass vault on mobile without paying for premium. These restrictions locked a large number of LastPass's userbase out of their passwords.<ref>{{Cite web|title=Changes to LastPass free tier|url=https://blog.lastpass.com/posts/changes-to-lastpass-free|date=2021-02-16|work=LastPass Blog|access-date=2025-11-02}}</ref>

On February 16, 2021 LastPass changed it's free tier to restrict users to only one device type. After March 16, 2021, if a user was using LastPass on their computer, they would not be able to view their LastPass vault on mobile without paying for premium. These restrictions locked a large number of LastPass's userbase out of their passwords.<ref>{{Cite web|title=Changes to LastPass free tier|url=https://blog.lastpass.com/posts/changes-to-lastpass-free|date=2021-02-16|work=LastPass Blog|access-date=2025-11-02 |archive-url=http://web.archive.org/web/20260217211201/https://blog.lastpass.com/posts/changes-to-lastpass-free |archive-date=17 Feb 2026}}</ref>

===2022 Data Breach===

In August 2022 and November 2022 LastPass suffered a data breach involving a backup copy of a customer database and customer password vaults. The attackers used a compromised developer account to access source code which contained credentials to the aforementioned backup database. The stolen data included encrypted usernames, passwords and secure notes. It was also discovered that URLs, IP ~~Addresses~~, ~~Phone Numbers~~ and some emails were unencrypted.<ref>{{Cite web|url=https://securityscorecard.com/blog/what-did-the-lastpass-breach-reveal-about-password-manager-security|title=What did the lastpass breach reveal about password manager security?|date=2025-06-13|work=SecurityScorecard|author=Learning Center|access-date=2025-11-02}}</ref>

In August 2022 and November 2022, LastPass suffered a data breach involving a backup copy of a customer database and customer password vaults. The attackers used a compromised developer account to access source code which contained credentials to the aforementioned backup database. The stolen data included encrypted usernames, passwords and secure notes. It was also discovered that URLs, IP addresses, phone numbers and some emails were unencrypted.<ref>{{Cite web|url=https://securityscorecard.com/blog/what-did-the-lastpass-breach-reveal-about-password-manager-security|title=What did the lastpass breach reveal about password manager security?|date=2025-06-13|work=SecurityScorecard|author=Learning Center|access-date=2025-11-02 |archive-url=http://web.archive.org/web/20260108033555/https://securityscorecard.com/blog/what-did-the-lastpass-breach-reveal-about-password-manager-security/ |archive-date=8 Jan 2026}}</ref>

==See also==

* [[Data lock-in]]

~~==See also==~~

~~{{Ph~~-~~C-SA}}~~

==References==

[[Category:{{PAGENAME}}]]

@@ Line 8: / Line 8: @@
 }}
-'''LastPass''' is a password manager application that allows users to store passwords and notes securely using one master password. It was launched in 2008 and was one of the first widely adopted password managers.
+'''[[wikipedia:LastPass|LastPass]]''' is a [[wikipedia:Password_manager|password manager]] application that allows users to store passwords and notes securely using one master password. It was launched in 2008 and was one of the first widely adopted password managers.
-In 2015 LastPass was acquired by GoTo (formerly LogMeIn Inc) for $110 million. LastPass was later spun off into it's own company being acquired by private equity firms Francisco Partners and Elliott Management in 2024.<ref>{{Cite web|url=https://www.lastpass.com/company/newsroom/b948ad48-3268-4c9e-8b45-0d6d02d0b4e7|title=LastPass Completes Journey to Become an Independent Company with Enhanced Cybersecurity Focus and Executive Leadership Team |date=2024-05-01|work=LastPass Newsroom|access-date=2025-11-02}}</ref>
+In 2015 LastPass was acquired by [[wikipedia:GoTo_(US_company)|GoTo]] (formerly LogMeIn Inc) for $110 million. LastPass was later spun off into it's own company being acquired by [[wikipedia:Private_equity_firm|private equity firms]] Francisco Partners and Elliott Management in 2024.<ref>{{Cite web|url=https://www.lastpass.com/company/newsroom/b948ad48-3268-4c9e-8b45-0d6d02d0b4e7|title=LastPass Completes Journey to Become an Independent Company with Enhanced Cybersecurity Focus and Executive Leadership Team |date=2024-05-01|work=LastPass Newsroom|access-date=2025-11-02 |archive-url=http://web.archive.org/web/20260211035211/https://www.lastpass.com/company/newsroom/b948ad48-3268-4c9e-8b45-0d6d02d0b4e7 |archive-date=11 Feb 2026}}</ref>
 ==Consumer-impact summary==
-LastPass, being a password manager, stores and transmits highly sensitive information (passwords and secure notes). LastPass relies on it's users trusting it to safely handle this information and have it be accessible.
+LastPass, being a password manager, stores and transmits highly sensitive information (passwords and secure notes). LastPass relies on its users trusting it to safely handle this information and have it be accessible.
-Use of a subscription service for more device types allows LastPass to restrict where users can view their passwords.
+Use of a [[subscription service]] for more device types allows LastPass to restrict where users can view their passwords.
-LastPass has suffered a number of security incidents over the years with the most severe being the 2022 data breach which saw encrypted customer passwords and secret notes get exposed. Despite the most sensitive information being encrypted, the vault can be decrypted and was allegedly used in the theft of $35 million in cryptocurrency from 150 victims. In 2025 an even larger theft of $150 million was traced back to the data breach.<ref>{{Cite web|url=https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks|title=Feds Link $150 Million CyberHeist to 2022 LastPass Hacks|date=2025-03-07|work=KrebsonSecurity|access-date=2025-11-02}}</ref>
+LastPass has suffered a number of security incidents over the years with the most severe being the 2022 data breach which saw encrypted customer passwords and secret notes get exposed. Despite the most sensitive information being encrypted, the vault can be decrypted and was allegedly used in the theft of $35 million in cryptocurrency from 150 victims. In 2025 an even larger theft of $150 million was traced back to the data breach.<ref>{{Cite web|url=https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks|title=Feds Link $150 Million CyberHeist to 2022 LastPass Hacks|date=2025-03-07|work=KrebsonSecurity|access-date=2025-11-02 |archive-url=http://web.archive.org/web/20260221112713/https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks/ |archive-date=21 Feb 2026}}</ref>
 ==Incidents==
 ===Free Tier Device Type Restrictions===
-On February 16, 2021 LastPass changed it's free tier to restrict users to only one device type. After March 16, 2021 If a user was using LastPass on their Computer they would not be able to view their LastPass vault on mobile without paying for premium. These restrictions locked a large number of LastPass's userbase out of their passwords.<ref>{{Cite web|title=Changes to LastPass free tier|url=https://blog.lastpass.com/posts/changes-to-lastpass-free|date=2021-02-16|work=LastPass Blog|access-date=2025-11-02}}</ref>
+{{See also|Post-purchase EULA modification}}
+On February 16, 2021 LastPass changed it's free tier to restrict users to only one device type. After March 16, 2021, if a user was using LastPass on their computer, they would not be able to view their LastPass vault on mobile without paying for premium. These restrictions locked a large number of LastPass's userbase out of their passwords.<ref>{{Cite web|title=Changes to LastPass free tier|url=https://blog.lastpass.com/posts/changes-to-lastpass-free|date=2021-02-16|work=LastPass Blog|access-date=2025-11-02 |archive-url=http://web.archive.org/web/20260217211201/https://blog.lastpass.com/posts/changes-to-lastpass-free |archive-date=17 Feb 2026}}</ref>
 ===2022 Data Breach===
-In August 2022 and November 2022 LastPass suffered a data breach involving a backup copy of a customer database and customer password vaults. The attackers used a compromised developer account to access source code which contained credentials to the aforementioned backup database. The stolen data included encrypted usernames, passwords and secure notes. It was also discovered that URLs, IP Addresses, Phone Numbers and some emails were unencrypted.<ref>{{Cite web|url=https://securityscorecard.com/blog/what-did-the-lastpass-breach-reveal-about-password-manager-security|title=What did the lastpass breach reveal about password manager security?|date=2025-06-13|work=SecurityScorecard|author=Learning Center|access-date=2025-11-02}}</ref>
+In August 2022 and November 2022, LastPass suffered a data breach involving a backup copy of a customer database and customer password vaults. The attackers used a compromised developer account to access source code which contained credentials to the aforementioned backup database. The stolen data included encrypted usernames, passwords and secure notes. It was also discovered that URLs, IP addresses, phone numbers and some emails were unencrypted.<ref>{{Cite web|url=https://securityscorecard.com/blog/what-did-the-lastpass-breach-reveal-about-password-manager-security|title=What did the lastpass breach reveal about password manager security?|date=2025-06-13|work=SecurityScorecard|author=Learning Center|access-date=2025-11-02 |archive-url=http://web.archive.org/web/20260108033555/https://securityscorecard.com/blog/what-did-the-lastpass-breach-reveal-about-password-manager-security/ |archive-date=8 Jan 2026}}</ref>
+==See also==
+* [[Data lock-in]]
-==See also==
-{{Ph-C-SA}}
 ==References==
 {{Reflist}}
 [[Category:{{PAGENAME}}]]