LastPass
| Basic Information | |
|---|---|
| Release Year | 2008 |
| Product Type | Password Managers, Browser extension, Software, Security |
| In Production | |
| Official Website | https://www.lastpass.com/ |
LastPass is a password manager application that allows users to store passwords and notes securely using one master password. It was launched in 2008 and was one of the first widely adopted password managers.
In 2015 LastPass was acquired by GoTo (formerly LogMeIn Inc) for $110 million. LastPass was later spun off into it's own company being acquired by private equity firms Francisco Partners and Elliott Management in 2024.[1]
Consumer-impact summary
LastPass, being a password manager, stores and transmits highly sensitive information (passwords and secure notes). LastPass relies on its users trusting it to safely handle this information and have it be accessible.
Use of a subscription service for more device types allows LastPass to restrict where users can view their passwords.
LastPass has suffered a number of security incidents over the years with the most severe being the 2022 data breach which saw encrypted customer passwords and secret notes get exposed. Despite the most sensitive information being encrypted, the vault can be decrypted and was allegedly used in the theft of $35 million in cryptocurrency from 150 victims. In 2025 an even larger theft of $150 million was traced back to the data breach.[2]
Incidents
Free Tier Device Type Restrictions (2021)
On February 16, 2021 LastPass changed its free tier to restrict users to only one device type. After March 16, 2021, if a user was using LastPass on their computer, they would not be able to view their LastPass vault on mobile without paying for premium. These restrictions locked a large number of LastPass's userbase out of their passwords.[3]
2022 Data Breach
In August 2022 and November 2022, LastPass suffered a data breach involving a backup copy of a customer database and customer password vaults. The attackers used a compromised developer account to access source code which contained credentials to the aforementioned backup database. The stolen data included encrypted usernames, passwords and secure notes. It was also discovered that URLs, IP addresses, phone numbers and some emails were unencrypted.[4]
'create backup' Phishing Campaign (2026)
On or around January 19th 2026, phishing emails were sent out from multiple email and ip addresses. The emails claimed that maintenance was to be conducted and that LastPass users needed to backup their vaults within 24 hours. They also contained links which took users to a website which allowed them to perform vault "backups." LastPass seems to have detected this relatively quickly as a threat intel blog post was already published on their website by January 20th.[5][6]
See also
References
- ↑ "LastPass Completes Journey to Become an Independent Company with Enhanced Cybersecurity Focus and Executive Leadership Team". LastPass Newsroom. 2024-05-01. Archived from the original on 11 Feb 2026. Retrieved 2025-11-02.
- ↑ "Feds Link $150 Million CyberHeist to 2022 LastPass Hacks". KrebsonSecurity. 2025-03-07. Archived from the original on 21 Feb 2026. Retrieved 2025-11-02.
- ↑ "Changes to LastPass free tier". LastPass Blog. 2021-02-16. Archived from the original on 17 Feb 2026. Retrieved 2025-11-02.
- ↑ Learning Center (2025-06-13). "What did the lastpass breach reveal about password manager security?". SecurityScorecard. Archived from the original on 8 Jan 2026. Retrieved 2025-11-02.
- ↑ Threat Intelligence, Mitigation, and Escalation (TIME) team (20 Jan 2026). "New Phishing Campaign Targeting LastPass Customers". blog.lastpass.com. Archived from the original on 12 Feb 2026. Retrieved 23 Jun 2026.
{{cite web}}: CS1 maint: multiple names: authors list (link) - ↑ Constantinescu, Vlad (22 Jan 2026). "LastPass 'create backup' email is a phishing scam targeting your master password". bitdefender.com. Archived from the original on 17 Feb 2026. Retrieved 23 Jun 2026.