Breach Details | Choosing Your Next Steps
Staying with LastPass | Leaving LastPass
All trademarks, company names or logos are the property of their respective owners.
Uncited block quotes are from LastPass security updates.
Two LastPass breaches were announced in August and December 2022.
LastPass is no longer recommended.
If you're among those with both weaker security and high-value site passwords or credit card information included in your vault, your information may have been compromised.
TL;DR: The breach was helped by a lax security policy, an employee was accessing critical company data from their home computer.So the breach affects LastPass users who had an active LastPass account between August 20 and September 16, 2022.
— Almost Secure
The customer data included customers' names, billing addresses, phone numbers, email addresses, IP addresses and partial credit card numbers, and the number of rounds of encryption used, MFA seeds and device identifiers. The vault data included, for each breached user, unencrypted website URLs and site names, and encrypted usernames, passwords and form data for those sites. According the reports, the stolen info did not include a plain text copy of the user's master password.
— Wikipedia
Previously, LastPass had been a four-star Editors' Choice product. In late 2022, the company announced that a data breach exposed users' encrypted vault data and other unencrypted personal data. Additional details about the breach and the aftermath came to light in February 2023.Because LastPass initially failed to inform its users of the breach and to adequately protect them, we removed the score and Editors' Choice designation from this review. PCMag is currently reviewing its recommendations of password managers and retesting them.
At this time, we recommend open-source Editors' Choice winner Bitwarden for anyone looking to switch to a new password manager.
— PCMag
LastPass let their users know on August 25, 2022 that a security breach had occurred August 8–12, but stated that only proprietary information was taken:
A software engineer's corporate laptop was compromised, allowing the unauthorized threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets.We declared this incident closed but later learned that information stolen in the first incident was used to identify targets and initiate the second incident.
While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
The hacker was able to gain access by exploiting a vulnerable piece of consumer software on the DevOp's computer.
Neither incident was caused by any LastPass product defect or unauthorized access to — or abuse of — production systems.Rather, the threat actor exploited a vulnerability in third-party software, bypassed existing controls, and eventually accessed non-production development and backup storage environments.
Such software should NEVER have been on any computer accessing either LastPass development areas or customer data.
A second breach was reported on December 22, reporting “no malicious access after October 26th.”
The threat actor targeted a senior DevOps engineer by exploiting vulnerable third-party software. The threat actor leveraged the vulnerability to deliver malware, bypass existing controls, and ultimately gain unauthorized access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data.
The loss of customer data wasn't reported until nearly two months later.
Right before the holiday season, LastPass published an update on their breach.As people have speculated, this timing was likely not coincidental but rather intentional to keep the news coverage low. Security professionals weren't amused, this holiday season became a very busy time for them.
LastPass likely could have prevented this if they were more concerned about keeping their users secure than about saving their face.
— Almost Secure
Customers were told that their password vault was secure if they'd used a good password.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.If you use the default settings [twelve-character minimum master password and 100,100 iterations of the PBKDF2], it would take millions of years to guess your master password using generally-available password-cracking technology.
Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture. There are no recommended actions that you need to take at this time. [emphasis mine]
This left most customers feeling their data was safe.
The good news is that LastPass encrypts your password vault before it uploads it to the cloud. Unfortunately, many LastPass vaults were protected with much fewer than 100,100 iterations.
However, there are some very serious concerns including the sort of data that was not encrypted:
The stolen data also included unencrypted URLs associated with password entries, providing valuable insight into which password vaults could be targeted to steal credentials to financial services, like cryptocurrency exchanges.It was later revealed that threat actors decrypted some of these weaker master passwords and used the stored credentials to breach cryptocurrency exchanges and steal over $4 million in funds
LastPass announced it will start encrypting URLs stored in user vaults for enhanced privacy and protection against data breaches and unauthorized access.
— BleepingComputer May 22, 2024
When more details started to come out in January and February indicating that LastPass had failed to inform or enforce users to upgrade the number of iterations to at least 600,000 in settings.
Many were using 5,000 or fewer iterations (the default for new users prior to July 9, 2018).
LastPass makes use of the Password Based Key Derivation Function (PBKDF2) which makes it harder for someone to guess your account password through a brute-force attack. Each round of PBKDF2 hashing converts your original input — the master password — into a unique encryption key using hashing.This type of hashing can't be reversed. The more PBKDF2 iterations you apply, the more secure the encryption key will be and the harder it will be to guess.
As a result, many, many LastPass users were still using far too few iterations for today's multi-GPU hacking practices, making those users' vaults relatively easy to hack.
LastPass may have added a further 100,100 iterations after the vault is uploaded to their servers, but that was unclear from the documentation I read.
Even if your vault's password and iterations were decent, LastPass didn't encrypt everything.
It certainly doesn't help that LastPass failed to clarify which parts of the vaults are encrypted and which are not.LastPass support adds to the confusion by stating that password notes aren't encrypted which I'm quite certain is wrong.
Passwords, account and user names, as well as password notes are encrypted. Everything else: not so much.
Page addresses are merely hex-encoded and various metadata fields are just plain text.
— Almost Secure, December 22, 2022
The stolen data includes the following unencrypted data:In other words, cybercriminals now know that you use LastPass, they know how to contact you, and they know which websites you use.
- company names
- end user names
- billing addresses
- telephone numbers
- email addresses
- IP addresses which customers used to access LastPass
- website URLs from your password vault
— Graham Cluley
One of the unencrypted pieces of data released was the number of PBKDF2 iterations that an end user was configured to use. This means they will know which vaults will be easiest to decrypt.
See Steve Gibson's explanation of the significance of iterations on this Security Now podcast:
Those in possession of your vault can scan this unencrypted information to see if you've included banking, credit cards and similar financial information, making those cherry-picked vaults a prime target for brute-force decryption. They also can be more effective in spear-phishing attacks.
If you would like more detailed discussion about the LastPass 2022 breach and its implications, listen to these podcasts with Steve Gibson and Leo Laporte:
If you were using LastPass at the time of these security breaches, you have a decision to make. Do you:
Bitwarden is my recommended password manager solution.
LastPass not only failed to keep your passwords safe, but failed to warn you in a timely manner.
The question is what to do about it.
While any password manager is better than none, there are advantages to a password manager that is proven secure and reliable. LastPass failed that test.
Regardless of whether you stay with LastPass or leave (my recommendation), you must assume your passwords were compromised.
You need to change the passwords for all your accounts, including the master password.
Unless you've decided to stay with LastPass (not recommended), export your LastPass data then import it into your new password manager before changing the passwords for your accounts.
Choose a password that is both long and strong enough to withstand current brute force attacks (a minimum of 17 random characters, but ideally more).
You should NEVER reuse any password but especially not your password manager's master password.
Many security experts, including myself, moved from LastPass to Bitwarden.
Steve Gibson had concerns with the fact that LastPass had not warned users with weaker passwords.
His Twitter posts and Security Now! #905 (PDF) discuss these concerns. The latter includes a PowerShell script that can help you determine how strong your LastPass vault is.
LastPass is making the effort to fix the things that went wrong.
There remains concerns about LastPass's security:
LastPass was a legacy product developed when security needs were less intense. It also changed ownership several times which may have meant the security parameters were no longer understood.
They failed to keep up with the technology and failed to inform their customers about the risks of not upgrading their vault master password as well as increasing the number of iterations.
While website names were encrypted, the URLs were not. This and other information can be used to focus on more valuable passwords in your vault, such as financial logins.
You'll have to assume all the passwords in your vault were compromised.
The hackers that stole all the LastPass customer vault data have no time limits on their attempts to brute force hack any of these vaults. The vaults of significant companies and individuals will probably be first followed by those vaults with banking or other financial passwords yet poor passwords protecting them.
Even if your entire LastPass vault was not immediately compromised, it could be cracked within five or ten years.
I strongly recommend abandoning LastPass. The failure to protect user data, especially AFTER the initial breach, is negligent.
If you're staying with LastPass, you'll need to secure it before changing ALL your passwords.
Start by improving your security settings then monitor updates or changes recommended by LastPass. For example, as of October 18, 2025 LastPass now requires your master password to at least 12 characters.
Once you've secured your LastPass account, you need to update all the passwords in your LastPass vault.
Start by closing any unused accounts.
Closing these account prevent unauthorized use and protects you against future data breaches which could expose your private information in the future.
If you haven't accessed them in well over a year, assess whether that account is necessary.
Now that you've eliminated the unnecessary accounts from your LastPass vault, change the remaining passwords, using a unique password generated by LastPass.
Start with the most vulnerable sites (banks, credit cards, etc.) then move to the less valuable sites. This assumes that you did not share passwords across multiple sites.
To understand why these changes are necessary, see password vulnerability to brute force attacks.
Remember, you don't have to remember these passwords.
Once you've changed the password, log out of the account then log back in using your new password. If everything works, delete the temporary copy of your old password.
LastPass has provided guidance for both consumer and business users:
Realize that ANY cloud-based password manager (or service) is potentially vulnerable.
The alternative is a secure password manager like Password Safe which resides only on ONE computer.
Steve Gibson's initial support of LastPass was one of the main reasons I felt I could recommend LastPass. That was before is was purchased by GoTo (formerly LogMeIn) then re-established as an independent private equity company in December 2021.
Steve has now moved to Bitwarden (as have I and most of the security folks I trust for advice).
Bitwarden is open source which allows other developers and programmers to check the validity of the encryption process and point out vulnerabilities.
If you're moving away from LastPass, do not change your passwords in LastPass.
Warning: this data will be in CSV format and is NOT encrypted. Hold onto it only long enough to import it into your new password manager, then delete it securely.
Once you've imported your LastPass data and have made the changes to your passwords in your new password manager, verify that everything is working before securely deleting the LastPass CSV file and your LastPass account.
On this site:
Return to top
RussHarvey.bc.ca/resources/lastpass.html
Updated: May 28, 2025