CRW

Home Wiki

LastPass

View on consumerrights.wiki ↗

Contents6
  1. Consumer-impact summary
  2. Incidents
  3. Free Tier Device Type Restrictions
  4. 2022 Data Breach
  5. See also
  6. References
LastPass
Basic Information
Release Year 2008
Product Type Password Managers, Browser extension, Software, Security
In Production
Official Website https://www.lastpass.com/


LastPass is a password manager application that allows users to store passwords and notes securely using one master password. It was launched in 2008 and was one of the first widely adopted password managers.

In 2015 LastPass was acquired by GoTo (formerly LogMeIn Inc) for $110 million. LastPass was later spun off into it's own company being acquired by private equity firms Francisco Partners and Elliott Management in 2024.[1]

Consumer-impact summary

LastPass, being a password manager, stores and transmits highly sensitive information (passwords and secure notes). LastPass relies on its users trusting it to safely handle this information and have it be accessible.

Use of a subscription service for more device types allows LastPass to restrict where users can view their passwords.

LastPass has suffered a number of security incidents over the years with the most severe being the 2022 data breach which saw encrypted customer passwords and secret notes get exposed. Despite the most sensitive information being encrypted, the vault can be decrypted and was allegedly used in the theft of $35 million in cryptocurrency from 150 victims. In 2025 an even larger theft of $150 million was traced back to the data breach.[2]

Incidents

Free Tier Device Type Restrictions

See also: Post-purchase EULA modification

On February 16, 2021 LastPass changed it's free tier to restrict users to only one device type. After March 16, 2021, if a user was using LastPass on their computer, they would not be able to view their LastPass vault on mobile without paying for premium. These restrictions locked a large number of LastPass's userbase out of their passwords.[3]

2022 Data Breach

In August 2022 and November 2022, LastPass suffered a data breach involving a backup copy of a customer database and customer password vaults. The attackers used a compromised developer account to access source code which contained credentials to the aforementioned backup database. The stolen data included encrypted usernames, passwords and secure notes. It was also discovered that URLs, IP addresses, phone numbers and some emails were unencrypted.[4]

See also

References

  1. "LastPass Completes Journey to Become an Independent Company with Enhanced Cybersecurity Focus and Executive Leadership Team". LastPass Newsroom. 2024-05-01. Archived from the original on 11 Feb 2026. Retrieved 2025-11-02.
  2. "Feds Link $150 Million CyberHeist to 2022 LastPass Hacks". KrebsonSecurity. 2025-03-07. Archived from the original on 21 Feb 2026. Retrieved 2025-11-02.
  3. "Changes to LastPass free tier". LastPass Blog. 2021-02-16. Archived from the original on 17 Feb 2026. Retrieved 2025-11-02.
  4. Learning Center (2025-06-13). "What did the lastpass breach reveal about password manager security?". SecurityScorecard. Archived from the original on 8 Jan 2026. Retrieved 2025-11-02.
Filed under