Hubbry Logo
LastPassLastPassMain
Open search
LastPass
Community hub
LastPass
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
LastPass
LastPass
LastPass
View on Wikipedia
from Wikipedia

LastPass is a password manager application.[3] The standard version of LastPass comes with a web interface, but also includes a browser extension, an app and support for bookmarklets.

Key Information

Founded in 2008 by four developers,[4][5] Lastpass was acquired by GoTo (formerly LogMeIn Inc.) for $110 million in 2015.[6] LastPass was spun-off from GoTo into a stand-alone business in 2024.[7]

LastPass suffered significant security incidents between 2011 and 2022. Notably, in late 2022, user data, billing information, and vaults (with some fields encrypted and others not)[a][8] were breached, leading many security professionals to call for users to change all their passwords and switch to other password managers.[9]

Overview

[edit]

A user's content in LastPass, including passwords and secure notes, is protected by one master password. The content is synchronized to any device the user uses the LastPass software or app extensions on. Information is encrypted with AES-256 encryption with PBKDF2 SHA-256, salted hashes, and the ability to increase password iterations value. Encryption and decryption take place at the device level.[10][11]

LastPass has a form filler that automates password entering and form filling, and it supports password generation, site sharing and site logging, and two-factor authentication. LastPass supports two-factor authentication via various methods including the LastPass Authenticator app for mobile phones as well as others including YubiKey.[12]

Unlike some other major password managers, LastPass offers a user-set password hint, allowing access when the master password is missing.[13]

History

[edit]

On December 2, 2010, it was announced that LastPass had acquired Xmarks, a web browser extension that enabled password synchronization between browsers. The acquisition meant the survival of Xmarks, which had financial troubles, and although the two services remained separate, the acquisition led to a reduced price for paid premium subscriptions combining the two services.[14][15] On March 30, 2018, the Xmarks service was announced to be shut down on May 1, 2018, according to an email to LastPass users.[16]

On October 9, 2015, GoTo acquired LastPass for $110 million. The company was combined under the LastPass brand with a similar product, Meldium, which had already been acquired by GoTo.[17][18]

On March 16, 2016, LastPass released LastPass Authenticator, a free two-factor authentication app.[19]

On November 2, 2016, LastPass announced that free accounts would now support synchronizing user content to any device, a feature previously exclusive to paid accounts. Earlier, a free account on the service meant it would sync content to only one app.[20][21]

In August 2017, LastPass announced LastPass Families, a family plan for sharing passwords, bank account info, and other sensitive data among family members for a $48 annual subscription. They also doubled the price of the Premium version without adding any new features to it. Instead, some features of the free version were removed.[22]

On December 14, 2021, GoTo announced that LastPass would be established as an independent company.[23] The spin-off was completed in May 2024, with LastPass being directly controlled by Francisco Partners and Elliott Investment Management, the private equity firms that took GoTo private in 2020.[7][24]

Reception

[edit]

In March 2009, PC Magazine awarded LastPass five stars, an "Excellent" mark, and their "Editors' Choice" for password management.[25] A new review in 2016 following the release of LastPass 4.0 earned the service again five stars, an "Outstanding" mark, and "Editors' Choice" honor.[26]

In July 2010, LastPass's security model was extensively covered and approved of by Steve Gibson in his Security Now podcast episode 256.[27] He also revisited the subject and how it relates to the National Security Agency in Security Now podcast episode 421.[28]

In October 2015 when GoTo acquired LastPass, founder Joe Siegrist's blog was filled with user comments voicing criticism of GoTo.[29] Web sites ZDNet, Forbes and Infoworld posted articles mentioning the outcry by existing customers, some of whom said they would refuse to do business with GoTo, and raised other concerns about GoTo's reputation.[30][31][32]

In a 2017 Consumer Reports article commented LastPass a popular password manager (alongside Dashlane, KeePass, and 1Password), with the choice between them mostly down to personal preference.[13] In March 2019, Lastpass was awarded the Best Product in Identity Management award during the seventh annual Cyber Defense Magazine InfoSec Awards.[33]

In 2017, Stiftung Warentest evaluated nine paid password managers and rated LastPass Premium as one of four recommended products.[34] The test was later updated to include the 2022 LastPass breach.[35]

Security incidents

[edit]

LastPass has faced ongoing scrutiny regarding its security practices and incident response over the years. Several independent analyses and reported breaches have raised concerns about how the company handles user data, mitigates vulnerabilities, and communicates risks to its customers. While LastPass employs industry-standard encryption to protect stored credentials, past security incidents and research findings have prompted debate over the platform’s overall reliability and its approach to safeguarding sensitive information.[36][37]

2011 security incident

[edit]

In May 2011, LastPass reported detecting unusual network activity that indicated a possible intrusion into its servers. Although the company stated that no evidence of data exfiltration was found, it required all users to reset their master passwords as a precaution. According to LastPass, encrypted user vault data was not compromised.[38][39]

2015 security breach

[edit]

In June 2015, the LastPass team discovered and halted suspicious activity on their network. Their investigation revealed that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised; however, encrypted user vault data was not affected.[40]

2017 Security vulnerabilities in Android App

[edit]

A 2017 analysis by the Fraunhofer-Institut für Sichere Informationstechnologie (SIT) identified several security flaws in multiple Android password managers, including LastPass.[41] The issues, which include improperly stored master passwords[42] and Data leakage,[43][44] were reported to the developers and subsequently fixed.[45]

2021 third-party trackers and security incident

[edit]

In 2021, it was discovered that the Android app contained third-party trackers.[46] At the end of 2021, LastPass warned users that their master passwords were compromised.[47]

2022 customer data and partially-encrypted vault theft

[edit]
This section is an excerpt from LastPass 2022 data breach.[edit]

The LastPass 2022 data breach refers to two related security incidents disclosed by the password manager LastPass in 2022. In the first incident, an attacker accessed parts of LastPass’s development environment and exfiltrated source code repositories and technical documentation, including an encrypted copy of the key used to protect backups of customer data stored in Amazon S3.

In a second incident, a senior DevOps engineer’s personal computer was compromised, and the attacker used a keystroke logger to obtain the employee’s credentials and access an internal vault holding further keys. According to the UK Information Commissioner's Office (ICO), this enabled access to and exfiltration of a backup database and copies of some customers’ password vault data, which included both unencrypted fields (such as some website URLs) and encrypted fields (such as usernames and passwords).

The incidents led to significant downstream risk because stolen vault backups can be subjected to offline cracking attempts, with the likelihood of compromise depending on factors such as users’ master-password strength and encryption settings (including iteration counts). The breach prompted litigation and regulatory scrutiny, including a monetary penalty issued by the ICO in November 2025 against LastPass UK Ltd for failures to implement appropriate technical and organisational measures affecting over one million UK data subjects.

2024 Leakage via Injection Attacks

[edit]

A 2024 study by Fábrega et al. demonstrated that many popular password managers are vulnerable to injection attacks. LastPass was affected due to its handling of application-wide security metrics, allowing an attacker to inject crafted shared entries and observe externally logged data (such as duplicate-password counts) to determine whether their injected values matched passwords stored in a victim’s vault.[48]

2024 Evaluation of Password Checkup Tools

[edit]

A 2024 study by Hutchinson et al. examined the “password checkup” features of 14 password managers, including LastPass, using weak, breached, and randomly generated passwords. The authors found that the evaluated products reported weak and compromised passwords inconsistently and sometimes incompletely. No manager successfully flagged all known breached passwords. The study concludes that such inconsistencies may give users a false sense of security.[49]

2025 DOM-based Extension Clickjacking

[edit]

Security researcher Marek Tóth presented a vulnerability in browser extensions of several password managers (including LastPass) at DEF CON 33 on August 9, 2025. In their default configurations, these extensions were shown to be exposed to a DOM-based extension clickjacking technique, allowing attackers to exfiltrate user data with just a single click.[50] The affected password manager vendors were notified in April 2025. According to Tóth, LastPass version 4.146.8 (September 12, 2025),[51] which was intended to address the issue, remains vulnerable.[52]

See also

[edit]

Notes

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

LastPass

View on Grokipedia
from Grokipedia
LastPass is an American-based and digital vault application that enables users to generate, store, and autofill secure login credentials across multiple devices and platforms using zero-knowledge encryption. Developed initially as a and , it supports (SSO), (MFA), and passwordless options like passkeys, serving both individual consumers and enterprises with plans for secure sharing and . Trusted by millions of personal users and over 100,000 businesses, LastPass emphasizes convenience in identity management while prioritizing data security through features like AES-256 encryption and independent audits. Founded in 2008 by Joe Siegrist, Robert Billingslea, and Sameer Kochar in , LastPass emerged as a solution to simplify password management amid growing online security concerns, starting as a free tool with premium upgrades. The company was acquired by LogMeIn (later rebranded as ) in October 2015 for $110 million in cash, plus up to an additional $15 million contingent on performance milestones and retention, integrating it into a broader suite of remote access and security products. Under this ownership, LastPass expanded its offerings, achieving milestones such as FIDO2 Server Certification in 2024. In May 2024, LastPass transitioned to operate as an independent entity under LMI Parent, LP, a holding company controlled by private equity firms Francisco Partners and Elliott Management, with headquarters in Boston, Massachusetts. Following the spin-off, it launched SaaS Protect in August 2025 for enhanced enterprise threat detection. This spin-off followed significant challenges, including a high-profile security incident disclosed in December 2022, where unauthorized access to a developer's machine led to the theft of encrypted user vaults and source code, prompting enhanced security measures like improved encryption protocols and compliance with ISO 27701 standards. Despite the breach's impact, which affected a subset of users and spurred industry-wide discussions on password manager vulnerabilities, LastPass has maintained its position as a leading tool in cybersecurity. In 2025, amid ongoing security focus, LastPass responded to a phishing campaign targeting users with fake breach notifications, with ongoing innovations in passwordless authentication to address evolving threats.

Product Overview

Description and Functionality

LastPass is a application developed by LastPass, launched in 2008, designed to securely store, generate, and autofill login credentials across multiple devices. It enables users to maintain a single master password for accessing a centralized vault of encrypted data, reducing the need to remember multiple complex credentials while enhancing overall online security. The application supports a range of platforms, including browser extensions for major web browsers, mobile apps for and Android, desktop applications for Windows, macOS, and , as well as access through a web-based vault. Cross-platform synchronization occurs via secure , allowing seamless access to stored credentials on any supported device without manual transfers. In the typical user , individuals create an account and set a strong master password, which serves as the sole key to unlock the encrypted vault containing all saved logins and sensitive information. LastPass employs a zero-knowledge , meaning the company cannot access or decrypt user data, as all and decryption processes happen locally on the user's device. As of November 2025, LastPass offers tiered pricing to accommodate different needs: a free plan limited to one device type, a Premium plan at $3 per month (billed annually) for unlimited multi-device access, a Families plan at $4 per month supporting up to six users, and business plans including Teams at $4 per user per month, Business at $7 per user per month, and Business Max at $9 per user per month with for enterprise environments. It targets individuals seeking personal password management, families sharing secure access, and enterprises requiring scalable solutions for professional credential handling.

Core Features

LastPass provides users with a centralized encrypted vault for storing passwords, credentials, payment information, addresses, and unlimited secure notes, allowing for organization through customizable folders and site-specific groupings to streamline access and management. This vault supports form filling capabilities, enabling users to save and autofill sensitive data across websites and applications on supported browsers like Chrome, , , and mobile platforms such as Android and . The autofill and form capture functionality automatically detects login fields and populates them with stored credentials, reducing manual entry and enhancing user efficiency during online activities. Complementing this, LastPass includes a customizable password generator that creates strong, unique passwords based on user-specified parameters, such as length, inclusion of uppercase letters, numbers, and symbols, to promote secure practices without compromising memorability. Secure sharing features allow encrypted transmission of credentials, secure notes, or folders with trusted individuals, including family, colleagues, or contacts, with options for controlled access durations and permissions to prevent unauthorized prolonged use. For , LastPass integrates support for passkeys via FIDO2 and standards, enabling users to store and manage these cryptographic keys in the vault for seamless, phishing-resistant logins across compatible sites and apps. Additional protective tools include monitoring, which scans for exposed personal information or credentials and sends real-time alerts to users for proactive remediation. The security dashboard offers a comprehensive overview, analyzing , detecting reuse across accounts, identifying exposure to known breaches, and providing personalized recommendations to bolster overall security posture. Multi-factor authentication (MFA) options are integrated directly into the vault login process and supported sites, encompassing app-based authenticators like , Microsoft Authenticator, and the native LastPass Authenticator; SMS one-time codes; and hardware security keys such as Yubico OTP devices. For business users, LastPass offers specialized features including an admin console for user provisioning and oversight, (SSO) integration with identity providers for streamlined access, policy enforcement tools that mandate requirements like password aging, minimum complexity, and MFA adoption across the organization, and SaaS Monitoring and SaaS Protect for visibility and control over employee usage of unapproved SaaS applications and AI tools. All core features are safeguarded by a zero-knowledge model, ensuring that only the user can access their data.

Company History

Founding and Early Development

LastPass was established in October 2008 in , by Joe Siegrist, Robert Billingslea, and Sameer Kochar, with Siegrist serving as CEO, responding to their own frustrations with managing multiple passwords across devices and browsers. The startup focused on creating a browser-based that emphasized ease of use and cloud synchronization, drawing from the founders' prior experience in at companies like eStara. Unlike local storage solutions prevalent at the time, LastPass prioritized encrypted to enable seamless access across platforms, aiming to reduce password reuse and manual entry risks. The product entered public beta in late August or early September 2008, initially supporting plugins for and , with Chrome compatibility added shortly after. By 2009, LastPass achieved full release, offering a free tier alongside premium features to encourage widespread adoption and build a user community through transparent communication on forums and . Early growth faced competition from established tools like the open-source KeePass, which relied on local file storage, and RoboForm, a form-filling with limited sync capabilities; LastPass differentiated itself by highlighting secure sync as a core convenience feature. In , the company expanded to mobile platforms, releasing apps for emerging devices like and Android as operating systems allowed greater third-party integration. By 2013, LastPass had surpassed one million users, reflecting steady organic growth driven by its free model and cross-platform support for Windows, Mac, and . This period included challenges in fostering user trust amid skepticism toward cloud-based , addressed through active engagement and iterative updates based on feedback.

Acquisitions and Corporate Evolution

In October 2015, LogMeIn acquired LastPass for $110 million in cash, integrating the into its portfolio of remote access and collaboration tools to bolster enterprise-grade security offerings, including enhanced capabilities. Following LogMeIn's 2018 acquisition of Jive Communications, the company underwent a major in February 2022 to become , unifying its IT management, support, and communication products under a single platform aimed at simplifying operations for small and medium-sized businesses. In December 2021, LogMeIn announced plans to spin off LastPass as an independent entity to allow for a sharper focus on cloud solutions separate from its core IT operations, a process completed on May 1, , with LastPass operating under the LMI Parent owned by firms including Elliott Management and . The 2022 security incidents further underscored the strategic value of this independence, enabling LastPass to prioritize cybersecurity without broader corporate distractions. Post-spin-off, LastPass assembled a new executive leadership team, including CEO Karim Toubba, to drive a cybersecurity-centric , establishing specialized units like the Privacy Operations, Safety, and Trust (POST) team for enhanced data protection. In early 2025, the company revamped its partner program to better support managed service providers (MSPs), introducing streamlined billing, prorated invoicing, and expanded revenue opportunities through integrated tools. These corporate shifts contributed to LastPass's business expansion, including the debut of SaaS Protect in August 2025 at Black Hat, a tool designed to monitor and enforce policies for unapproved SaaS applications and weak credentials in enterprise environments.

Security Architecture

Encryption and Zero-Knowledge Model

LastPass implements a zero-knowledge architecture designed to ensure that the company has no knowledge of users' unencrypted . In this model, all sensitive information, including passwords and notes stored in the vault, is encrypted on the user's device before transmission to LastPass servers. The servers store only these encrypted blobs, while decryption occurs exclusively on the client device using a key derived from the user's master password. This approach guarantees that LastPass cannot access even if the servers are compromised, as the master password is never transmitted or stored by the service. The core encryption standards employed by LastPass include AES-256 for securing vault data and PBKDF2-SHA256 for deriving the encryption key from the master password. Prior to 2022, PBKDF2 hashing used 100,100 iterations to balance security and performance; post-incident updates increased this to 600,000 iterations for greater protection against offline brute-force attacks. Each user's master password is salted uniquely before hashing, further preventing attacks. Data in transit is additionally protected via TLS protocols to maintain confidentiality during synchronization across devices. User credentials and vault contents are encrypted client-side prior to upload, ensuring that only reaches the infrastructure. LastPass stores these encrypted blobs in (AWS) without retaining decryption keys, which remain solely on the user's device. This client-side encryption flow supports seamless syncing while preserving data privacy, as the service cannot reconstruct or view unencrypted information. The structure of the LastPass vault has evolved to enhance encryption coverage. Prior to 2024, certain metadata elements, such as URLs associated with stored credentials, were stored in a partially unencrypted state to enable autofill functionality without compromising core secrets. However, beginning August 5, 2024, LastPass rolled out full encryption for these elements, including URLs in vaults and shared folders, eliminating previous exposure of site metadata. These and zero-knowledge mechanisms underpin LastPass's compliance with key regulatory frameworks, including SOC 2 Type II for , GDPR for data protection in the EU, and HIPAA for handling access. layers additional verification atop this encrypted foundation to secure user sessions.

Access Controls and Multi-Factor Authentication

LastPass requires users to create a strong master to access their encrypted vault, with a minimum length of 12 characters that includes at least one uppercase letter, one lowercase letter, one number, and one special character. The service explicitly advises against reusing the master with any other online accounts to mitigate risks from attacks. For enhanced security, users are encouraged to employ a longer , which increases and resistance to brute-force attempts without relying on complex memorization rules. To bolster protection beyond the master password, LastPass implements (MFA) through various methods, including integration with Duo Security for push notifications and adaptive authentication. Supported options also encompass authenticator apps such as , Microsoft Authenticator, and the native LastPass Authenticator for time-based one-time passwords (TOTP). Biometric verification, including fingerprint scanning and facial recognition on compatible devices, provides phishing-resistant access, while hardware tokens like enable FIDO2-based or OTP authentication, with up to five keys associable per account. Users can enable multiple MFA methods simultaneously and select a default for login prompts, ensuring flexibility while maintaining robust defense against unauthorized entry. Session management in LastPass includes mechanisms to control active logins and prevent prolonged exposure. New devices require email-based approval or verification before full access, limiting initial unauthorized attempts. Trusted device lists allow users to designate devices for a 30-day period, bypassing subsequent MFA prompts on those platforms to improve without compromising . Additionally, automatic logout after inactivity is configurable via extension preferences or account settings, with options to trigger based on idle time or browser closure, ensuring sessions end promptly if unattended. For business users, LastPass provides advanced admin controls to enforce organizational policies. (RBAC) enables administrators to assign granular permissions through predefined or custom roles, such as super admin for full oversight or helpdesk admin for limited support tasks, ensuring users only access necessary resources. (SSO) integration supports SAML for enterprise identity federation and OAuth for API-driven authorizations, allowing seamless access to over 1,200 applications without separate credentials. Audit logs track user activities, including logins, password changes, and policy enforcement, with exportable reports available in the admin console for compliance and monitoring. In 2025, LastPass released updates including security improvements to the admin console and introduced SaaS Protect for advanced threat detection in enterprise environments. In scenarios where a user becomes incapacitated, LastPass's emergency access feature permits designation of trusted contacts—other LastPass users—who can request access to the vault after a waiting period (configurable from 3 hours to a month), granting the trusted contact a shared "Emergency Access" folder with the vault contents until revoked by the owner, without needing the master password or recovery key. This process uses public-key for secure sharing, supporting multiple designees while maintaining end-to-end .

Security Incidents

Pre-2022 Breaches

In May 2011, LastPass detected a network anomaly indicating unauthorized access to its systems, potentially exposing addresses and salt values for approximately 1.25 million users. The intrusion did not compromise encrypted , as the strong hashing mechanisms in place prevented extraction of usable credentials. In response, the company locked all accounts and required users to reset their master , while implementing additional safeguards such as validation for logins from new IP addresses. In June 2015, a gained access to LastPass's network, compromising email addresses, password reminders, and encrypted master password hashes for some users, though no vault data containing site credentials was affected. The incident involved unauthorized activity detected and blocked early, with no evidence of broader system penetration. LastPass responded by enhancing monitoring protocols and conducting thorough code reviews to strengthen defenses. During 2021, concerns arose regarding third-party trackers embedded in the LastPass Android app, including , Google , and , which collected user data across websites and apps. These trackers, numbering seven in total, raised questions about practices without explicit user consent. This prompted the removal of trackers from the app and comprehensive audits to improve and .

2022 Data Breaches

The 2022 security incidents at LastPass began with the compromise of a senior DevOps engineer's home computer, where attackers exploited a vulnerability in third-party media software (Plex Media Server, CVE-2020-5741) to install keylogging malware. This allowed the capture of the engineer's corporate credentials during a LastPass login session that bypassed multi-factor authentication due to exploited access control weaknesses. The breach exploited vulnerabilities in employee access controls, as detailed in the section on Access Controls and Multi-Factor Authentication. Using these credentials, the threat actor gained unauthorized access to LastPass's cloud-based development environment between August 8 and 12, 2022, viewing proprietary source code and technical documentation but not accessing any customer vaults or encrypted data. LastPass disclosed the initial incident on August 25, 2022, stating that the threat actor's activity was contained and no customer action was required, as no user data had been compromised. However, the attackers persisted undetected for months, leveraging the stolen development environment credentials to impersonate legitimate activity. On November 24-25, 2022, they used these credentials to access a shared cloud storage service containing archived vault backups, exfiltrating unencrypted customer metadata such as emails, phone numbers, IP addresses, and billing details for millions of users, along with partially unencrypted data including website URLs and encrypted vault files (usernames, passwords, secure notes). No master passwords or fully unencrypted sensitive sites were stolen, and the encrypted portions required individual user master passwords for decryption. The full scope emerged in subsequent disclosures: a December 22, 2022 update revealed the breach tied to the August incident, and a March 1, 2023 notification provided the complete timeline, confirming the threat actor's activity ended by October 26, 2022, after months of persistence. The attack involved social engineering and info-stealer tactics, though no specific attribution to a named group was publicly confirmed. Immediate impacts included heightened risks from exposed metadata like URLs and emails, enabling targeted attacks on users. While no widespread vault decryption was reported at the time, the stolen data facilitated heists; as of March 2025, the breach has been linked to losses exceeding $150 million, including a $150 million XRP theft from Ripple co-founder , with U.S. authorities seizing approximately $23 million in related cryptocurrencies. Attackers have cracked weaker master passwords to access secure notes with wallet seeds in multiple cases.

Response and Improvements

Post-Incident Security Enhancements

Following the 2022 security incidents, LastPass upgraded its vault encryption to further strengthen the zero-knowledge model by encrypting previously unencrypted URL fields. The company announced this change in May 2024, with the initial phase completing in June 2024 and rollout beginning in August 2024, followed by a second phase for remaining fields in the latter half of the year. Additionally, LastPass increased the default SHA-256 iterations for master password hashing to a minimum of 600,000 for both new and existing users, with the update rolled out earlier in 2023 to enhance resistance against brute-force attacks. To improve monitoring and detection capabilities, LastPass enhanced its threat detection systems, building on applications for cybersecurity defense. In terms of data minimization, LastPass reduced the storage of unencrypted metadata in environments by expanding across and metadata in its application databases and , with ongoing progress reported as of October 2023. Complementing this, the company introduced vault health reports through its Security Dashboard, enabling users to assess and identify weak or reused passwords within their vaults for proactive remediation. For business users, LastPass provided administrators with deeper insights into user iteration counts, shared credential risks, and other vulnerabilities via the Admin Console. In 2025, the company launched SaaS Protect, a feature that detects and blocks access to unapproved SaaS applications, extending SaaS monitoring to enforce policies against risks. LastPass also issued user recommendations emphasizing password changes for any reused or compromised credentials, as outlined in its March 2023 incident update, and extended free scans to all users to monitor for exposed information and alert on potential threats.

Independent Audits and Ongoing Updates

Following the 2022 security incidents, LastPass engaged in third-party verifications to validate its security posture, including annual SOC 2 Type II certifications that assess controls across security, availability, processing integrity, confidentiality, and privacy. These certifications, conducted by independent auditors, confirm compliance with industry standards and are renewed yearly to ensure ongoing adherence. Additionally, LastPass operates a disclosure program through Bugcrowd, inviting ethical hackers to identify and report potential issues in exchange for rewards, which has facilitated proactive remediation of extension and platform vulnerabilities. In 2023, LastPass completed an internal investigation supplemented by compliance audits, which verified no persistent unauthorized access or activity beyond October 2022, with recommendations leading to strengthened capabilities, including enhanced monitoring and identity access management investments. These efforts addressed identified gaps in real-time detection, resulting in improved platform hardening without of recurring exploits. As part of its ongoing security initiatives, LastPass participates in the to advance standards, supporting FIDO2 compliance for phishing-resistant logins. In 2025, the company expanded passkey functionality, enabling users to create, store, and autofill passkeys across devices for seamless, secure access to supported sites and apps, with administrative controls for enterprise deployment. This aligns with broader roadmap plans discussed at industry events like RSAC 2025. LastPass began issuing regular transparency updates in 2023, including detailed incident reports and annual analyses that outline threat trends and mitigation strategies. For compliance, the platform enhanced GDPR support with robust data export tools allowing users to request and retrieve in structured formats, ensuring adherence to right-to-access obligations. Through November 2025, no new major incidents have been reported, as evidenced by continuous status monitoring and absence of disclosures.

Reception

Critical Reviews

LastPass has received mixed critical reviews in 2025, with experts praising its user-friendly interface and robust cross-platform support while expressing persistent concerns over vulnerabilities stemming from past incidents. awarded it 3.5 out of 5 stars in September 2025, highlighting the excellence of its autofill capabilities and smooth password capture across devices, which contribute to its feature richness for everyday users. Similarly, G2's Fall 2025 Global Grid Reports positioned LastPass as a leader in password management, emphasizing its ease of use, dependability, and multi-device functionality, particularly for business applications. Criticisms have centered on ongoing distrust following the 2022 breaches, with several outlets questioning its overall safety. SafetyDetectives updated its review in August 2025 to no longer recommend LastPass, citing metadata exposure risks and the lasting impact of the breaches that compromised vaults. Cybernews rated it 3.8 out of 5 in 2025, acknowledging strong but criticizing lapses that have eroded user confidence. In comparisons with competitors, LastPass is often rated below open-source alternatives like due to its closed architecture and breach history, though it remains competitive with in terms of ease of use. Cybernews noted in its 2025 analysis that while LastPass offers a solid free tier and affordable plans, its reputation has suffered compared to more polished options like . Expert analyses have raised specific concerns about potential vault cracking enabled by the stolen data. Krebs on Security reported in March 2025 that federal investigations linked a $150 million cyberheist to the 2022 LastPass hacks, building on 2023 findings that criminals may have cracked master passwords from the breached vaults. Following its 2024 spin-off from , LastPass has seen some improved scores in 2025 evaluations, such as enhanced leadership in categories like , attributed to updates in partner programs and security workflows. However, the legacy of the breaches continues to influence critiques, with outlets like SafetyDetectives maintaining their non-recommendation despite these efforts.

User Feedback and Market Position

User satisfaction with LastPass remains generally positive, particularly for its convenience and ease of use, as evidenced by a 4.4 out of 5 rating on based on thousands of reviews in 2025. Users frequently praise its multi-device functionality and intuitive interface, which have contributed to its ranking as the top in G2's 2025 Global Grid Reports across multiple quarters. However, feedback is mixed, with some long-term users expressing loyalty due to familiarity despite past security concerns, while others have migrated to alternatives following the 2022 breaches that eroded trust. Common complaints include limitations on the free plan, which since has restricted syncing to a single type of device, reducing its appeal for multi-platform users. Additional grievances involve slow response times and ongoing concerns over , which led to a 9% increase in customer churn as of late 2023; recent reports indicate stabilization in churn rates following overhauls. In late 2025, phishing campaigns impersonating LastPass, including fake emails claiming account hacks, have further heightened user caution around . These issues have led to perceptions of diminished reliability, prompting some users to seek more robust options. In the market, LastPass holds approximately 21-23% share as of 2025, positioning it as a leader ahead of competitors like and . With over 30 million registered users, it maintains strength in small and medium-sized businesses (SMBs) through seamless integrations and enterprise features. By 2025, LastPass has shown signs of recovery following its 2024 spin-off as an independent company, which has bolstered user confidence through focused investments in and partner programs. Independent reviews highlight its user-friendly design while cautioning about the free tier's constraints. Enterprise adoption continues to grow via enhanced partner ecosystems, supporting broader scalability. LastPass has influenced the industry's transition toward passkeys by integrating support for these passwordless credentials in 2025, enabling seamless creation and management within its vault to promote phishing-resistant authentication. Despite competition, it retains its top ranking in G2's 2025 evaluations for overall password management.

References

  1. https://www.lastpass.com/
  2. https://www.lastpass.com/company/about-us
  3. https://arstechnica.com/information-technology/2015/10/logmein-buys-lastpass-password-manager-for-110-million/
  4. https://www.lastpass.com/company/newsroom
  5. https://www.lastpass.com/company/newsroom/b948ad48-3268-4c9e-8b45-0d6d02d0b4e7
  6. https://blog.lastpass.com/posts/notice-of-recent-security-incident
  7. https://krebsonsecurity.com/2023/09/lastpass-horse-gone-barn-bolted-is-strong-password/
  8. https://www.forbes.com/sites/daveywinder/2025/10/17/lastpass-confirms-hack-threat---warns-do-not-change-master-password/
  9. https://www.lastpass.com/company/newsroom/2629aa54-f441-41f0-b9dd-f7ce67d3664d
  10. https://www.businesswire.com/news/home/20240501835392/en/LastPass-Completes-Journey-to-Become-an-Independent-Company-with-Enhanced-Cybersecurity-Focus-and-Executive-Leadership-Team
  11. https://blog.lastpass.com/posts/celebrating-10-years-lastpass
  12. https://www.lastpass.com/password-manager
  13. https://www.lastpass.com/features
  14. https://www.lastpass.com/pricing
  15. https://support.lastpass.com/help/organize-your-vault-with-folders-lp040010
  16. https://support.lastpass.com/help/manage-your-secure-notes-lp050001
  17. https://www.lastpass.com/features/password-generator
  18. https://www.lastpass.com/features/emergency-access
  19. https://support.lastpass.com/s/document-item?language=en_US&_LANG=enus&bundleId=lastpass&topicId=LastPass%252Fc_lastpass_supported_mfa_options.html
  20. https://www.lastpass.com/products/business
  21. https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass%252Fc_lastpass_admins_toolkit_sso.html
  22. https://support.lastpass.com/s/document-item?language=en_US&_LANG=enus&bundleId=lastpass&topicId=LastPass%252Fuac_policies_generalpolicies.html
  23. https://www.lastpass.com/company/newsroom/adc906f8-c881-4a90-ac83-a66ff23e83ce
  24. https://www.lastpass.com/security/zero-knowledge-security
  25. https://www.globenewswire.com/news-release/2015/10/09/774934/0/en/LogMeIn-to-Acquire-Password-Management-Leader-LastPass.html
  26. https://lifehacker.com/behind-the-app-the-story-of-lastpass-1669310481
  27. https://uk.pcmag.com/password-managers/2852/lastpass-150
  28. https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-li-zhiwei.pdf
  29. https://techcrunch.com/2015/10/09/logmein-acquires-password-management-software-lastpass-for-110-million/
  30. https://www.ciodive.com/news/logmein-to-buy-lastpass-in-effort-to-bolster-access-management-security/407185/
  31. https://telecomreseller.com/2018/04/04/logmein-completes-acquisition-of-jive-communications/
  32. https://www.globenewswire.com/news-release/2022/02/02/2377706/11663/en/LogMeIn-Rebrands-as-GoTo-with-a-New-Application-Combining-Support-and-Communications-Solutions-New-Products-and-a-New-Partner-Network.html
  33. https://www.bostonglobe.com/2022/02/02/business/logmein-no-more-boston-software-firm-rebrands-goto/
  34. https://www.lastpass.com/company/newsroom/press-release/lastpass-to-establish-cloud-security-company-independent-of-goto
  35. https://www.channelfutures.com/channel-business/lastpass-completes-separation-from-goto-starts-new-chapter
  36. https://www.theverge.com/2024/5/1/24146205/lastpass-independent-company-security-breaches
  37. https://blog.lastpass.com/posts/from-the-ceo-a-new-era-for-lastpass
  38. https://www.channele2e.com/news/lastpass-partner-program-gets-updates-a-year-after-its-2024-spin-off
  39. https://www.lastpass.com/company/newsroom/c0898e56-e5dd-48f3-835d-64669652446f
  40. https://blog.lastpass.com/posts/how-zero-knowledge-keeps-passwords-safe
  41. https://www.lastpass.com/-/media/7BA0CB147C5840BAB14270CE93E040A0.pdf
  42. https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass%252Fincident-work-completed-roadmap.html
  43. https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass%252Fabout_url_encryption_lastpass.html&_LANG=enus
  44. https://blog.lastpass.com/posts/lastpass-is-encrypting-urls-heres-whats-happening
  45. https://www.lastpass.com/security/is-lastpass-secure
  46. https://compliance.lastpass.com/
  47. https://blog.lastpass.com/posts/hipaa-compliance
  48. https://support.lastpass.com/help/what-is-the-lastpass-master-password-lp070014
  49. https://blog.lastpass.com/posts/inside-the-dna-of-your-master-password
  50. https://support.lastpass.com/help/duo-security-authentication-lp030017
  51. https://support.lastpass.com/help/supported-multifactor-authentication-options
  52. https://www.lastpass.com/solutions/authentication/yubico
  53. https://support.lastpass.com/help/how-do-i-add-more-than-one-multifactor-authentication-option-to-use-for-lastpass
  54. https://support.lastpass.com/help/manage-trusted-devices-for-multifactor-authentication-lp030010
  55. https://support.lastpass.com/help/manage-automatic-log-out
  56. https://blog.lastpass.com/posts/role-based-access-control
  57. https://www.lastpass.com/products/sso
  58. https://support.lastpass.com/help/does-lastpass-offer-audit-and-reporting
  59. https://lastpass.com/releasenotes.php
  60. https://support.lastpass.com/s/document-item?bundleId=lastpass&topicId=LastPass%252FFAQ_Emergency_Access.html&_LANG=enus
  61. https://krebsonsecurity.com/2011/05/lastpass-forces-users-to-pick-another-password/
  62. https://blog.lastpass.com/posts/lastpass-security-notice
  63. https://krebsonsecurity.com/2015/06/password-manager-lastpass-warns-of-breach/
  64. https://www.theregister.com/2021/02/25/lastpass_android_trackers_found/
  65. https://www.pcmag.com/news/lastpass-android-app-contains-7-trackers
  66. https://blog.lastpass.com/posts/security-incident-update-recommended-actions
  67. https://www.wired.com/story/lastpass-engineer-breach-security-roundup/
  68. https://www.cybersecuritydive.com/news/lastpass-devops-engineer-targeted/643763/
  69. https://www.uptycs.com/blog/lastpass-security-breaches-2022-what-we-know-now
  70. https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks/
  71. https://support.lastpass.com/s/document-item?bundleId=lastpass&topicId=LastPass/incident-work-completed-roadmap.html
  72. https://blog.lastpass.com/posts/lastpass-is-making-account-updates-heres-why
  73. https://blog.lastpass.com/posts/offense-defense-ai-in-cybersecurity
  74. https://www.lastpass.com/features/security-dashboard
  75. https://support.lastpass.com/help/security-bulletin-recommended-actions-for-business-administrators
  76. https://www.lastpass.com/features/dark-web-monitoring
  77. https://www.lastpass.com/security
  78. https://bugcrowd.com/lastpass
  79. https://fidoalliance.org/company/lastpass/
  80. https://blog.lastpass.com/posts/lastpass-now-supports-passkeys
  81. https://blog.lastpass.com/posts/6-key-takeaways-fromrsac-2025-that-will-change-how-you-defend-your-organization
  82. https://support.lastpass.com/help/is-lastpass-gdpr-compliant-lp010030
  83. https://status.lastpass.com/
  84. https://www.pcmag.com/reviews/lastpass
  85. https://blog.lastpass.com/posts/lastpass-leads-g2-fall-2025-global-grid-reports
  86. https://www.safetydetectives.com/best-password-managers/lastpass/
  87. https://cybernews.com/best-password-managers/lastpass-review/
  88. https://cybernews.com/best-password-managers/1password-vs-lastpass/
  89. https://cybernews.com/best-password-managers/nordpass-vs-lastpass/
  90. https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/
  91. https://www.passwordmanager.com/lastpass-review/
  92. https://www.cybersecuritydive.com/news/lastpass-security-overhaul/697558/
  93. https://www.cloudwards.net/lastpass-review/
  94. https://www.security.org/password-manager/lastpass-vs-1password/
  95. https://www.infosecurity-magazine.com/news/lastpass-not-hacked-phishing-email/
  96. https://electroiq.com/stats/lastpass-statistics/
  97. https://sqmagazine.co.uk/password-manager-statistics/
  98. https://growjo.com/company/LastPass
Add your contribution
Related Hubs
User Avatar
No comments yet.