LastPass
LastPass is a password manager that stores encrypted user credentials and provides autofill across devices. Owned by private equity firms Francisco Partners and Elliott Management, the service suffered a catastrophic 2022 breach that compromised encrypted vault data for approximately 33 million users.
Score generated by AI agents based on publicly cited evidence and reviewed by the project maintainer. Not independently validated.
Score History
Timeline events are AI-curated from public reporting. Score trajectory is derived from documented events.
LastPass launched in 2008 as an independent password manager built by four developers in Fairfax, Virginia. The product offered a generous freemium model with free cross-device sync, earning PC Magazine's Editors' Choice and Steve Gibson's endorsement. Minor concerns existed around proprietary format lock-in and small-team governance, but the product was well-regarded and the company was bootstrapped with aligned incentives.
LogMeIn acquired LastPass for $110 million in October 2015, placing the password manager inside a publicly traded SaaS conglomerate with a reputation for aggressive price increases. The 2015 breach exposed email addresses and authentication hashes. LogMeIn began integrating LastPass into its enterprise portfolio, and a 2016 decision to make multi-device sync free expanded the user base but set up future extraction leverage.
LogMeIn tripled LastPass Premium pricing from $12/year to $36/year between 2017 and 2019, while simultaneously removing features from the free tier. Emergency access and unlimited sharing became Premium-only in August 2017. The December 2019 announcement that Francisco Partners and Elliott Management would acquire LogMeIn for $4.3 billion signaled private equity's arrival. Browser extension vulnerabilities and the shrinking free tier accelerated user frustration.
Under PE ownership (completed August 2020), LastPass reversed its 2016 decision and restricted free users to a single device type starting March 16, 2021, effectively crippling the free tier. Email support was removed for free users by August 2021. The PE owners announced the LastPass spinoff in December 2021 while maintaining control. Cost-cutting intensified, and employee morale deteriorated as restructuring began under new corporate ownership.
The August-December 2022 breach exposed encrypted vault backups for approximately 33 million users after a DevOps engineer's personal computer was compromised through an unpatched Plex vulnerability. LastPass's progressive disclosure over four months -- from 'limited developer environment' to 'customer vaults stolen' -- was condemned as misleading by security researchers who called the zero-knowledge claims 'a bald-faced lie.' The company's failure to forcibly upgrade weak PBKDF2 iterations for older accounts left users with as few as 1 iteration of protection. Class action lawsuits were filed, and a mass exodus of users to competitors began.
The consequences of the 2022 breach continue to compound. TRM Labs reported approximately $438 million in cryptocurrency stolen from cracked vaults through late 2025, with Russian cybercriminals involved. The UK ICO fined LastPass £1.23 million for GDPR violations, and a $24.5 million U.S. class action settlement received preliminary court approval. Quarterly layoffs persist under PE ownership, with Glassdoor ratings at 3.3/5 and only 31% positive business outlook. LastPass completed its spinoff from GoTo in May 2024 but remains controlled by the same PE firms.
Alternatives
Open-source password manager scoring 15 vs. LastPass's 56 — one of the lowest scores on this site. Free tier includes unlimited passwords across unlimited devices (no device type restriction), the opposite of what LastPass took away in 2021. Never had a breach remotely comparable to LastPass's 2022 catastrophe. Easy switch — Bitwarden has a direct import tool for LastPass CSV exports. The free tier is genuinely free, not a crippled upsell funnel.
Premium password manager scoring 26 vs. LastPass's 56, with a strong security track record and no history of catastrophic breaches. No free tier (starts at $3/month), but the polished apps, Travel Mode, and Watchtower breach monitoring make it the top choice for users willing to pay. Easy switch — 1Password offers a direct LastPass import guide. Better option if you want the polish of a premium product without the PE ownership baggage.
Dimensional Breakdown
Summaries below were written by AI agents based on the cited evidence. They are editorial interpretations, not independent research findings.
Dimension History
Timeline (39 events)
First security breach detected at LastPass
LastPass reported detecting unusual network traffic from a database, indicating a possible intrusion. The company required all users to reset their master passwords as a precaution, though no evidence of vault data exfiltration was confirmed. This was the first of seven publicly known security incidents.
Second breach exposes email addresses and authentication hashes
LastPass discovered suspicious activity on their network and confirmed that account email addresses, password reminders, server per-user salts, and authentication hashes were compromised. Encrypted vault data was reportedly not taken, but the stolen password reminders could help attackers target individual users. All users were required to change master passwords. The breach raised questions about whether the small bootstrapped company had sufficient resources for enterprise-grade security.
LogMeIn acquires LastPass for $110 million
LogMeIn, a publicly traded SaaS company, acquired LastPass for $110 million in cash with an additional $15 million contingent on milestone targets. At the time, LastPass had 7 million users and 15,000 business customers. Founder Joe Siegrist's blog was flooded with criticism from users concerned about LogMeIn's reputation for aggressive price increases.
Multi-device sync made free for all users
LastPass announced that free users could now sync passwords across all device types, a feature previously locked behind the $12/year Premium plan. This represented LastPass's peak generosity to free users, making it one of the most capable free password managers available. By deepening user investment across all devices, it also increased switching costs. The feature would be reversed in March 2021.
Browser extension vulnerabilities expose user credentials
Security researchers discovered that the LastPass Firefox and Chrome extensions had vulnerabilities allowing malicious websites to extract user credentials and potentially execute commands on users' computers. Separately, a 2017 analysis of Android password managers identified improperly stored master passwords and data leakage in LastPass.
Premium price doubled, free tier features removed
LastPass doubled Premium pricing from $12/year to $24/year while simultaneously removing emergency access and unlimited sharing from the free tier, pushing them behind the paywall. The Families plan launched at $48/year. Business plan pricing also increased, affecting the approximately 15,000 organizations using LastPass. This marked the first clear sign of LogMeIn applying its aggressive pricing playbook to LastPass.
LogMeIn shuts down Xmarks bookmark sync service
LogMeIn discontinued the Xmarks bookmark-syncing service that LastPass had acquired in 2010, shutting it down on May 1, 2018. LastPass had rescued Xmarks from closure in 2010 when the service couldn't sustain itself on voluntary donations. After LogMeIn bought LastPass in 2015, it promised to continue supporting Xmarks but ultimately abandoned the product. Users lost access to cross-browser bookmark synchronization with no migration path offered.
Premium price tripled to $36/year in two years
LastPass increased Premium pricing from $24/year to $36/year ($3/month), completing a 200% price increase over just two years under LogMeIn ownership. Critics noted that no significant new features accompanied the increase. Bruceb Consulting wrote that LastPass had 'learned the wrong lessons about price increases from LogMeIn.'
LastPass Enterprise restructured into Business plan tiers
LogMeIn restructured LastPass business plans, replacing the Enterprise tier with a new Business plan at $6/user/month. The reorganization added Advanced SSO and Advanced MFA as paid add-ons, increasing total cost for organizations that had previously received bundled features. Business customers faced forced plan migrations and potential feature loss if they did not upgrade.
Google Project Zero finds credential-leaking browser extension bug
Google Project Zero researcher Tavis Ormandy discovered a vulnerability in the LastPass browser extension that allowed malicious websites to steal credentials from the previously visited site. The flaw exploited how the extension generated pop-up windows via HTML iframes rather than through the expected do_popupregister() function. LastPass patched the Chrome and Opera extensions before public disclosure, but the vulnerability underscored ongoing security architecture weaknesses in the browser extension.
Francisco Partners and Elliott announce $4.3B LogMeIn buyout
Francisco Partners and Evergreen Coast Capital (Elliott Management's PE affiliate) announced a $4.3 billion acquisition of LogMeIn at $86.05 per share, taking it private. The deal, completed August 31, 2020, placed LastPass under private equity control with PE firms whose playbook centers on cost-cutting and value extraction from portfolio companies.
PE acquisition of LogMeIn closes at $4.3 billion
Francisco Partners and Evergreen Coast Capital (Elliott Management's affiliate) completed the $4.3 billion acquisition of LogMeIn, taking it private at $86.05 per share. LogMeIn's stock was delisted from NASDAQ. The deal placed LastPass under private equity control, concentrating governance with financial sponsors whose obligations run to limited partners rather than users. The privatization reduced public transparency requirements including SEC reporting obligations.
Free tier restricted to single device type
LastPass announced that starting March 16, 2021, free users would be limited to either computers or mobile devices, but not both. This reversed the 2016 decision to make multi-device sync free. The restriction effectively made the free tier unusable for most people, as modern password management requires cross-device access. Users had only three opportunities to switch their device type.
Free tier device restriction takes effect
The single device type restriction officially took effect on March 16, 2021. Free users' first login set their active device type permanently, with only three chances to switch. The restriction trapped existing free users into choosing between desktop and mobile access, creating pressure to upgrade to Premium or switch to competitors like Bitwarden that maintained free multi-device sync.
Competitors target LastPass refugees after free tier restrictions
Following LastPass's March 2021 free tier restrictions, competitors launched targeted migration campaigns. Bitwarden published a direct LastPass import guide and promoted its free unlimited-device sync. 1Password highlighted its 'no free tier' model as more honest than LastPass's bait-and-switch approach. Apple and Google expanded their built-in password managers, further eroding LastPass's market position among free-tier users.
Email support removed for free tier users
LastPass removed email support for free users, limiting them to self-help resources and community forums. Free users were allowed to continue receiving technical support through August 23, 2021, to help with the device type transition. Premium and Families customers retained full email support access.
GoTo announces LastPass spinoff as independent company
GoTo (formerly LogMeIn) announced plans to establish LastPass as an independent company, citing strong market demand for password management. The spinoff, controlled by the same PE owners Francisco Partners and Elliott Management, would not be completed until May 2024. Critics noted the separation still left LastPass under the same PE ownership structure.
Karim Toubba appointed as CEO
LastPass appointed Karim Toubba as CEO, replacing interim-CEO Mike Kohlsdorf. Toubba, a cybersecurity veteran from Cisco/Kenna Security, was brought in to lead LastPass through its separation from GoTo. He would face the breach crisis within months of taking office.
First breach disclosure: developer environment compromised
LastPass disclosed that an unauthorized party accessed portions of its development environment through a compromised developer account, stealing source code and proprietary technical information. CEO Toubba's blog post stated the breach was contained and that no customer data or vault contents were accessed. This initial disclosure drastically understated the severity of what had actually occurred.
Full breach severity revealed: customer vaults stolen
Four months after the initial disclosure, LastPass revealed that attackers had stolen backups of customer vault data for approximately 33 million users, containing both unencrypted data (website URLs, email addresses, billing info) and encrypted fields (usernames, passwords). A senior DevOps engineer's personal computer had been compromised via an unpatched Plex vulnerability (CVE-2020-5741), enabling the attacker to access cloud storage containing vault backups.
Security experts blast LastPass for misleading breach communication
Security researcher Wladimir Palant published a detailed analysis calling LastPass's December 22 statement 'full of omissions, half-truths and outright lies.' Researcher Jeremi Gosney described the 'zero-knowledge' claim as 'a bald-faced lie,' noting that vaults contained plaintext files with only select fields encrypted. Both experts accused LastPass of committing 'every crypto 101 sin' in its encryption implementation.
PBKDF2 iteration weakness exposed across older accounts
Palant's analysis revealed that LastPass's PBKDF2 iteration count varied wildly across accounts: from 1 iteration for the oldest accounts, to 500 (2012), 5,000 (2013), and finally 100,100 for newer accounts. LastPass never forcibly upgraded older accounts' iteration counts, leaving long-term users with dangerously weak protection. At 100,100 iterations, LastPass was already the lowest among current password managers.
Class action lawsuit filed over 2022 data breach
A proposed class action was filed against LastPass US LP in U.S. District Court for the District of Massachusetts, alleging negligence and breach of contract. The complaint (Debt Cleanse Group Legal Services LLC v. GoTo Technologies USA Inc., Case No. 1:22-cv-12047) alleged that LastPass failed to adequately protect customers' private information and incorporate necessary security tools.
Enterprise migration from LastPass reveals export limitations
As organizations rushed to leave LastPass post-breach, enterprise migrations exposed significant limitations in the CSV export process. LastPass exports did not include TOTP/2FA codes, shared vault permissions, file attachments, or form fills. Nested folder structures were lost during import to competitors. Organizations using SSO-based LastPass logins could not use the direct import feature, forcing manual CSV workflows with unencrypted data.
Users report LastPass auto-renewing cancelled accounts
Hacker News discussion documented multiple cases of LastPass auto-renewing subscriptions for users who believed they had cancelled, with the company refusing refunds citing its terms of service. Some users reported needing to create pre-loaded virtual cards with $1 limits before cancelling to prevent unauthorized charges. The no-refund policy was particularly contentious given the December 2022 breach revelation.
DevOps engineer Plex compromise details revealed
LastPass disclosed that the second breach specifically targeted one of only four DevOps engineers with access to the corporate vault. The attacker exploited CVE-2020-5741, a Plex vulnerability patched in May 2020, on the engineer's personal home computer. The employee had never updated Plex, leaving a version roughly 75 updates behind. The attacker installed a keylogger to capture the engineer's master password.
Post-breach layoffs reported at LastPass
Employees reported on Fishbowl that they were laid off from LastPass 'due to the result of their security incident,' with reports of many layoffs within the company. Glassdoor reviews from this period describe a 'sinking ship' atmosphere with constant restructuring and concern that leadership had no real strategy beyond cost-cutting.
One year post-breach: security expert says LastPass has not improved
Security researcher Wladimir Palant published a follow-up assessment concluding that one year after the catastrophic breach, LastPass had not meaningfully improved its security practices. Palant found that the same fundamental issues with the security architecture remained, and that LastPass's public statements continued to be misleading about the strength of its protections.
LastPass maintains $36/year pricing despite breach-driven trust deficit
Despite the catastrophic 2022 breach and significant user exodus, LastPass maintained its Premium pricing at $36/year and increased the Families plan to $48/year ($4/month). Business pricing rose to $7/user/month with Advanced SSO ($2/user) and Advanced MFA ($3/user) as paid add-ons. The company continued aggressive tier-gating with the crippled free tier, while competitors like Bitwarden offered comparable functionality at $10/year.
$150 million cryptocurrency heist linked to LastPass breach
Federal prosecutors seized approximately $24 million in cryptocurrency clawed back from a $150 million theft targeting Ripple co-founder Chris Larsen on January 30, 2024. The U.S. Secret Service and FBI confirmed the theft was linked to the 2022 LastPass breach, with private keys stored in Larsen's compromised LastPass vault used to drain his cryptocurrency holdings.
LastPass completes spinoff from GoTo as independent company
LastPass completed its separation from GoTo, becoming a standalone company headquartered in Boston with over 800 employees. Despite the independence branding, the company remains controlled by the same PE firms (Francisco Partners and Elliott Management) that took LogMeIn private in 2020. Business customers faced transition uncertainties as infrastructure and support structures were separated.
LastPass begins encrypting vault URLs after breach exposed them
LastPass announced a two-phase initiative to encrypt URLs stored in vaults, addressing one of the most criticized aspects of the 2022 breach: that website URLs had been stored unencrypted, revealing which services users had accounts with. Phase 1, completed by August 2024, encrypted primary URL fields. Phase 2, completed September 2025, extended encryption to URL rules, equivalent domains, and never-URL lists. The company cited advances in device processing power as enabling encryption that was previously too computationally expensive.
Fake Chrome Web Store reviews used to phish LastPass users
LastPass warned of a social engineering campaign where attackers posted fake reviews on the LastPass Chrome Web Store page directing users to call a fraudulent support number. Callers were guided to visit a malicious site (dghelp[.]top) that downloaded a ConnectWise ScreenConnect agent, giving attackers full remote access to victims' computers. The scammers used emojis in reviews and changed phone numbers to evade detection, continuing through at least November 2024.
FBI and Secret Service confirm $150M cyberheist tied to LastPass
Krebs on Security reported that federal investigators confirmed the connection between the $150 million Ripple co-founder cryptocurrency theft and the 2022 LastPass breach. The seizure document showed the U.S. Secret Service and FBI agreed with blockchain researcher ZachXBT's finding that private keys stored in a LastPass vault were used to execute the theft.
UK ICO fines LastPass £1.23 million for GDPR violations
The UK Information Commissioner's Office fined LastPass UK Ltd £1,228,283 for violations of UK GDPR Articles 5(1)(f) and 32(1), finding the company failed to implement appropriate technical and organizational security measures. The fine covered breaches affecting 1.6 million UK customers. The ICO noted that senior employees accessed corporate credentials from unmanaged personal devices, violating NCSC guidance on BYOD security.
TRM Labs reveals $438 million in cryptocurrency stolen via LastPass breach
TRM Labs published research showing that stolen LastPass vault backups had enabled approximately $438 million in cryptocurrency theft through late 2025. At least $35 million was traced, with $28 million converted to Bitcoin and laundered via Wasabi Wallet between late 2024 and early 2025. Evidence pointed to Russian cybercriminal involvement, with funds routed through exchanges associated with illicit activity.
First major phishing campaign of 2026 targets LastPass customers
LastPass's Threat Intelligence, Mitigation, and Escalation (TIME) team alerted customers to a phishing campaign that began around January 19, 2026. Attackers sent emails claiming LastPass would conduct maintenance, urging users to backup their vaults within 24 hours. Phishing links directed victims to sites hosted on AWS S3 buckets, redirecting to spoofed domains like mail-lastpass.com and security-lastpass.com. The campaign was timed over a U.S. holiday weekend to exploit reduced staffing and delayed detection.
Court approves $24.5 million class action settlement
A federal court granted preliminary approval to a $24.5 million settlement of the LastPass data breach class action. The settlement included an $8.2 million general fund for class members and a separate $16.25 million fund for documented cryptocurrency losses, with individual payouts up to $900,000 for proven crypto theft. Class members could also receive a complimentary six-month LastPass Premium upgrade.
Second phishing campaign of 2026 spoofs LastPass account alerts
LastPass warned of a second phishing campaign in two months, beginning around March 1, 2026. Attackers used display name spoofing and fake email chains to impersonate LastPass, claiming unauthorized actions on accounts such as vault exports or new device registrations. Phishing links redirected to verify-lastpass.com, a fraudulent SSO login portal designed to harvest master passwords. The third phishing campaign targeting LastPass users in six months underscored the ongoing exploitation of the 2022 breach's trust damage.
Evidence (39 citations)
D1: User Value Erosion
D2: Business Customer Exploitation
D3: Shareholder Extraction
D4: Lock-in & Switching Costs
D5: Twiddling & Algorithmic Opacity
D6: Dark Patterns
D7: Advertising & Monetization Pressure
D8: Competitive Conduct
D9: Labor & Governance
D10: Regulatory & Legal Posture
Scoring Log (4 entries)
Added 1 missing dimension narrative