From Wikipedia, the free encyclopedia
IndustryPassword management
Computer security
Founded2008; 15 years ago (2008)
United States
Key people
Karim Toubba (CEO, 2022)
Revenue$200 million (2021)
Number of employees
550+ (2022)
Footnotes / references

LastPass is a password manager distributed in subscription form as well as a freemium model with limited functionality.[3] The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones.[4] It also includes support for bookmarklets.[5] LogMeIn, Inc. (now GoTo) acquired LastPass in October 2015.[6] On December 14, 2021, LogMeIn announced that LastPass would be made into a separate company and accelerate its release timeline.[7]

LastPass suffered significant security incidents between 2011 and 2022. Notably, in late 2022, user data, billing information, and vaults (with some fields encrypted and others not) were breached, leading many security professionals to call for users to change all their passwords and switch to other password managers.[8]


A user's content in LastPass, including passwords and secure notes, is protected by one master password. The content is synchronized to any device the user uses the LastPass software or app extensions on. Information is encrypted with AES-256 encryption with PBKDF2 SHA-256, salted hashes, and the ability to increase password iterations value. Encryption and decryption takes place at the device level.[4][9]

LastPass has a form filler that automates password entering and form filling, and it supports password generation, site sharing and site logging, and two-factor authentication. LastPass supports two-factor authentication via various methods including the LastPass Authenticator app for mobile phones as well as others including YubiKey.[10] LastPass is available as an extension to many web browsers, including Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge, Vivaldi, and Opera. It also has apps available for smartphones running the Android, iOS, or Windows Phone operating systems. The apps have offline functionality.[4] Note that LastPass shuts off the Google Chrome browser setting allowing the user to automatically save pass words in the browser. [see]

Unlike some other major password managers, LastPass offers a user-set password hint, allowing access when the master password is missing.[11]


On December 2, 2010, it was announced that LastPass had acquired Xmarks, a web browser extension that enabled password synchronization between browsers. The acquisition meant the survival of Xmarks, which had financial troubles, and although the two services remained separate, the acquisition led to a reduced price for paid premium subscriptions combining the two services.[12][13] On March 30, 2018, the Xmarks service was announced to be shut down on May 1, 2018, according to an email to LastPass users.[14]

On October 9, 2015, LogMeIn, Inc. acquired LastPass for $110 million. The company was combined under the LastPass brand with a similar product, Meldium, which had already been acquired by LogMeIn.[6][15][16]

On February 3, 2016, LastPass unveiled a new logo. The previous logo, which prominently featured an asterisk, was the subject of a trademark lawsuit filed in early 2015 by E-Trade, whose logo also features an asterisk.[17]

On March 16, 2016, LastPass released LastPass Authenticator, a free two-factor authentication app.[18][19]

On November 2, 2016, LastPass announced that free accounts would now support synchronizing user content to any device, a feature previously exclusive to paid accounts. Earlier, a free account on the service meant it would sync content to only one app.[20][21]

In August 2017, LastPass announced LastPass Families, a family plan for sharing passwords, bank account info, and other sensitive data among family members for a $48 annual subscription. They also doubled the price of the Premium version without adding any new features to it. Instead, some features of the free version were removed.[22]

On February 16, 2021, LastPass announced that from March 16, free versions would be usable on only desktop or mobile devices, rather than both. Any user wishing to continue using both would have to pay for the premium (i.e. paid for) version. They would also discontinue email support for Free users at the same time.[23]

On December 14, 2021, LogMeIn, Inc. announced that LastPass will be established as an independent company[24]


In March 2009, PC Magazine awarded LastPass five stars, an "Excellent" mark, and their "Editors' Choice" for password management.[25] A new review in 2016 following the release of LastPass 4.0 earned the service again five stars, an "Outstanding" mark, and "Editors' Choice" honor.[26]

In July 2010, LastPass's security model was extensively covered and approved of by Steve Gibson in his Security Now podcast episode 256.[27] He also revisited the subject and how it relates to the National Security Agency in Security Now podcast episode 421.[28]

In October 2015 when LogMeIn acquired LastPass, founder Joe Siegrist's blog was filled with user comments voicing criticism of LogMeIn. [29] Web sites ZDNet, Forbes and Infoworld posted articles mentioning the outcry by existing customers, some of whom said they would refuse to do business with LogMeIn, and raised other concerns about LogMeIn's reputation.[30][31][32]

In a 2017 Consumer Reports article Dan Guido, the CEO of Trail of Bits, called LastPass a popular password manager (alongside Dashlane, KeePass, and 1Password), with the choice between them mostly down to personal preference.[11] In March 2019, Lastpass was awarded the Best Product in Identity Management award during the seventh annual Cyber Defense Magazine InfoSec Awards.[33]

In February 2021, in response to LastPass limiting its free tier to one type of device, Barry Collins of Forbes called the change a "bait and switch" that makes free accounts "much less useful than they used to be" that "ruins" the free tier.[34]

Security incidents[edit]

2011 security incident[edit]

On Tuesday, May 3, 2011, LastPass discovered an anomaly in their incoming network traffic, then a similar anomaly in their outgoing traffic. Administrators found none of the hallmarks of a classic security breach (for example, a non-administrator user being elevated to administrator privileges), but neither could they determine the anomalies' cause. Furthermore, given the size of the anomalies, it was theoretically possible that data such as email addresses, the server salt, and the salted password hashes were copied from the LastPass database. To address the situation, LastPass took the "breached" servers offline so they could be rebuilt and, on May 4, 2011, requested all users change their master passwords. They said that while there was no direct evidence that any customer information was compromised, they preferred to err on the side of caution. However, the resulting user traffic overwhelmed the login servers, and company administrators — considering the possibility that existing passwords that had been compromised was trivially small — asked users to delay changing their passwords until further notice.[35][36]

2015 security breach[edit]

On Monday, June 15, 2015, LastPass posted a blog post indicating that the LastPass team had discovered and halted suspicious activity on their network the previous Friday. Their investigation revealed that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised; however, encrypted user vault data had not been affected. The company blog said, "We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."[37][38]

2016 security incidents[edit]

In July 2016, a blog post published by independent online security firm Detectify detailed a method for reading plaintext passwords for arbitrary domains from a LastPass user's vault when that user visited a malicious web site. This vulnerability was made possible by poorly written URL parsing code in the LastPass extension. The flaw was not disclosed publicly by Detectify until LastPass was notified privately and able to fix their browser extension.[39] LastPass responded to the public disclosure by Detectify in a post on their own blog, in which they revealed knowledge of an additional vulnerability, discovered by a member of the Google Security Team, and already fixed by LastPass.[40]

2017 security incidents[edit]

On March 20, Tavis Ormandy discovered a vulnerability in the LastPass Chrome extension. The exploit applied to all LastPass clients, including Chrome, Firefox and Edge. These vulnerabilities were disabled on March 21, and patched on March 22.[41]

On March 25, Ormandy discovered an additional security flaw allowing remote code execution based on the user navigating to a malicious website. This vulnerability was also patched.[42][43]

2019 security incidents[edit]

On Friday, August 30, 2019, Tavis Ormandy reported a vulnerability in the LastPass browser extension in which Web sites with malicious JavaScript code could obtain a username and password inserted by the password manager on the previously visited site.[44][45] By September 13, 2019, Lastpass publicly announced the vulnerability, acknowledging the issue was limited to the Google Chrome and Opera extensions only; nonetheless, all platforms received the vulnerability patch.[46] [47]

2020 security incident[edit]

On 6th of April 2020, a vulnerability was found, concerning the storage of the master password within the web extension. LastPass did not use the Windows Data Protection API, but stored the Master Password in a local file when the "Remember password" option is activated. [48]

2021 third-party trackers and security incident[edit]

In 2021 it was discovered that the Android app contained third-party trackers.[49] Also, at the end of 2021, an article at the site BleepingComputer reported that LastPass users were warned that their master passwords were compromised.[50]

2022 security incidents[edit]

In late 2022, LastPass reported in blog posts a series of hacks on their infrastructure that resulted in customer information falling into the hands of threat actors. The stolen information includes names, email addresses, billing addresses, partial credit cards and website URLs. In addition, some data encrypted with users' master passwords was stolen, including login usernames and site passwords. The security of that encrypted data depends on the strength of the user's master password, or whether the password had previously been leaked, and the number of rounds of encryption used.

On August 25, 2022, LastPass published a blog post[51] notifying customers that a third party gained unauthorized access to portions of their development environment, source code, and technical information through a single compromised developer account.

In November, LastPass published updates on the security breach and stated that some customer data was accessed by a third party. LastPass assured users that passwords stored with the service were still secure, as encryption and decryption of passwords takes place on the user’s device.[52]

In December, LastPass reported that the actor obtained a backup of customer data and the customer vault data (the password databases) by using some of the information obtained in the August breach. The customer data included customers' names, billing addresses, phone numbers, email addresses, IP addresses and partial credit card numbers. The vault data included, for each breached user, unencrypted website URLs and site names, and encrypted usernames, passwords and form data for those sites. According to the report, the stolen info did not include a plain text copy of the user's master password, which would be required to create a new cryptographic hash, to decrypt the encrypted portions of the vault data (such as usernames and passwords), and which LastPass does not store. The report did not reveal when the compromised vault data backup was made, when the vault data was stolen, how many users were affected, which fields in the vault data were encrypted or not, nor if vault metadata was taken, including number of rounds of encryption used on the encrypted portions of the vault.

The December disclosure suggested that, if customers had selected a strong master password and elected, under the account's advanced settings, to uses the many thousands of rounds of PBKDF2-HMAC-SHA-256 encryption (600,000 iterations recommended by OWASP, as of 2022),[53] it would take millions of years to decrypt the passwords. Though not mentioning new customers prior to June 2012 had, by default, a single PBKDF2-HMAC-SHA-256 hash applied to their Master password, with site usernames and passwords encrypted with the weak AES-ECB cipher, a default iteration count that was increased for new customers to 500 encryption cycles, and later increased to a default, for new accounts, to 5,000, before a default of 100,100 iterations, a minimum Master Password length of 12 characters, and the stronger AES-CBC ciper employed, by default for new customers, in February 2018.[54][55][56]

A further report from January 2023 stated that in addition to the vaults, some MFA settings and storage keys were obtained.[57]

Commentators expressed concerns that if a user's master password was weak or leaked,[58] the encrypted parts of the customer's data could be decrypted.[59] LastPass stated no action was necessary for the majority of its customers,[54] but other sources recommended changing all passwords and vigilance against possible phishing attacks.[60][61] Some sources criticized LastPass's response,[62] and raised additional concerns over the number of rounds of encryption that were required.

A class-action lawsuit was initiated in early 2023, with the anonymous plaintiff stating that LastPass failed to keep users' information safe.[63] Of particular concern in the lawsuit was the increased risk of the details being used in phishing attacks.


  1. ^ [1]. The Boston Globe. Retrieved on May 20, 2022.
  2. ^ "LastPass to stand alone as LogMeIn owners say they'll spin off the password management company". The Boston Globe. Retrieved 2022-05-20.
  3. ^ "LastPass Free vs. Premium | Worth the Upgrade? | LastPass". Retrieved 2022-12-14.
  4. ^ a b c "The best way to manage passwords". LogMeIn. Retrieved 8 August 2018.
  5. ^ "Bookmarklets". LogMeIn. Archived from the original on 26 February 2017. Retrieved 8 August 2018.
  6. ^ a b Siegrist, Joe (9 October 2015). "LastPass Joins the LogMeIn Family". LogMeIn. Retrieved 8 August 2018.
  7. ^ "LastPass Investing Even More in Your Password Security in 2022". LogMeIn. 14 December 2021. Retrieved 14 Dec 2021.
  8. ^ Newman, Lily Hay. "Yes, It's Time to Ditch LastPass". Wired. ISSN 1059-1028. Retrieved 2022-12-30.
  9. ^ Hoffman, Chris (9 August 2012). "11 Ways to Make Your LastPass Account Even More Secure". How-To Geek.
  10. ^ Eddy, Max (30 March 2016). "LastPass Authenticator (for iPhone)". PCMag. Ziff Davis.
  11. ^ a b Chaikivsky, Andrew (7 February 2017). "Everything You Need to Know About Password Managers". Consumer Reports.
  12. ^ Gott, Amber (2 December 2010). "LastPass Acquires Xmarks!". LogMeIn.
  13. ^ Purdy, Kevin (2 December 2010). "LastPass Acquires Xmarks, Keeping Free Bookmark-Syncing Plans Available". Lifehacker. Gizmodo Media Group.
  14. ^ Brinkmann, Martin (1 April 2018). "LogMeIn to shut down Xmarks on May 1, 2018". gHacks. Archived from the original on 1 April 2018.
  15. ^ Brodkin, Jon (9 October 2015). "LogMeIn buys LastPass password manager for $110 million". Ars Technica. Condé Nast.
  16. ^ Perez, Sarah (9 October 2015). "LogMeIn Acquires Password Management Software LastPass For $110 Million". TechCrunch. Oath Tech Network.
  17. ^ Siegriest, Joe. "Meet the New LastPass Logo". LastPass. Retrieved November 2, 2016.
  18. ^ Gott, Amber (16 March 2016). "LastPass Authenticator Makes Two-Factor Easy". LogMeIn.
  19. ^ Whitwam, Ryan (16 March 2016). "LastPass Releases Its Own 2-Factor Mobile Authenticator App". AndroidPolice. Illogical Robot.
  20. ^ Siegriest, Joe (2 November 2016). "Get LastPass Everywhere: Multi-Device Access Is Now Free!". LogMeIn.
  21. ^ Kastrenakes, Jacob (2 November 2016). "There's now one less excuse not to use a password manager". The Verge. Vox Media.
  22. ^ Maring, Joe (3 August 2017). "LastPass announces pricing for 'Families' plan; doubles cost of Premium option". 9to5Google.
  23. ^ "Changes to LastPass Free". LastPass. 16 February 2021. Retrieved 16 February 2021.
  24. ^ "LogMeIn Set to Establish LastPass as an Independent Cloud Security Company Amid Strong Market Demand". LogMeIn. 14 December 2021. Retrieved 11 October 2022.
  25. ^ Rubenking, Neil (20 March 2009). "LastPass 1.50 Review". PCMag. Ziff Davis. Archived from the original on 24 March 2009.{{cite web}}: CS1 maint: unfit URL (link)
  26. ^ Rubenking, Neil (November 2, 2016). "LastPass 4.0 Review". PC Magazine. Retrieved November 2, 2016.
  27. ^ Gibson, Steve; Laporte, Leo (10 June 2010). "Security Now 256: LastPass Security".
  28. ^ Gibson, Steve; Laporte, Leo (11 September 2013). "Security Now 421: The Perfect Accusation".
  29. ^ Brodkin, Jon (9 October 2015). "LogMeIn buys LastPass password manager for $110 million". Ars Technica. Condé Nast.[verification needed]
  30. ^ "LastPass bought by LogMeIn for $110 million; ... outcry from LastPass users, some of whom say they refuse to do business with LogMeIn". ZDNet. 2015-10-09. Retrieved 2019-06-12.[verification needed]
  31. ^ "LastPass Joins LogMeIn, But Not Everyone Is Thrilled About It". Forbes. 2015-10-09. Retrieved 2019-06-12.[verification needed]
  32. ^ "LogMeIn acquires LastPass to beef up identity portfolio". InfoWorld. 2015-10-09. Retrieved 2019-06-12.[verification needed]
  33. ^ Shah, Megha (20 March 2019). "LastPass by LogMeIn Awarded 2019 InfoSec Recognition". Tech Funnel.
  34. ^ Collins, Barry. "LastPass Breaks Free Accounts: Where To Store Your Passwords Now?". Forbes. Retrieved 2021-02-17.
  35. ^ Siegrist, Joe (16 May 2011). "LastPass Security Notification". LogMeIn.
  36. ^ Raphael, JR (5 May 2011). "LastPass CEO Explains Possible Hack". PC World. IDG.
  37. ^ Siegrist, Joe (10 July 2015). "LastPass Security Notice". LogMeIn.
  38. ^ Goodin, Dan (June 15, 2015). "Hack of cloud-based LastPass exposes hashed master passwords". Ars Technica. Condé Nast.
  39. ^ Karlsson, Mathias (27 July 2016). "How I made LastPass give me all your passwords". Detectify Labs. Detectify.
  40. ^ Gott, Amber (27 July 2016). "LastPass Security Updates". LogMeIn.
  41. ^ Gott, Amber (22 March 2017). "Important Security Updates for Our Users". LogMeIn.
  42. ^ Ormandy, Travis (25 March 2017). "{Untitled}". @taviso. Twitter.
  43. ^ Siegrist, Joe (27 March 2017). "Security Update for the LastPass Extension". LogMeIn.
  44. ^ at 19:36, Shaun Nichols in San Francisco 16 Sep 2019. "How much pass could LastPass pass if LastPass passed last pass? Login-leaking security hole fixed". Retrieved 2019-09-26.
  45. ^ "A Password-Exposing Bug Was Purged From LastPass". Wired. ISSN 1059-1028. Retrieved 2019-09-26 – via
  46. ^ "Issue 1930 - project-zero - Project Zero - Monorail". Retrieved 2019-09-17.
  47. ^ Goodin, Dan (2019-09-16). "Password-exposing bug purged from LastPass extensions". Ars Technica. Retrieved 2019-09-17.
  48. ^ "Breaking LastPass: Instant Unlock of the Password Vault". Retrieved 2022-01-02.
  49. ^ Hendrickson, Josh. "The LastPass Android App Contains 7 Trackers From Third Party Companies 😬". Review Geek. Retrieved 20 March 2021.
  50. ^ Gatlan, Sergiu. "LastPass users warned their master passwords are compromised". BleepingComputer. Retrieved 28 December 2021.
  51. ^ Toubba, Karim. "Notice of Recent Security Incident". LastPass Blog. Retrieved 26 August 2022.
  52. ^ Gatlan, Sergiu (2022-11-30). "Lastpass says hackers accessed customer data in new breach". BleepingComputer.
  53. ^ "Password Storage - OWASP Cheat Sheet Series". Retrieved 2023-02-03.
  54. ^ a b Toubba, Karim (22 December 2022). "Notice of Recent Security Incident". The LastPass Blog. Retrieved 2022-12-22.
  55. ^ Palfy, Sandor (2018-07-09). "LastPass BugCrowd Update". The LastPass Blog. Retrieved 2023-02-03.
  56. ^ "Increase your Lastpass Password Iterations | Dominion Digital Services". Retrieved 2023-02-03.
  57. ^ "Our Response to a Recent Security Incident- GoTo". Blog. Retrieved 2023-01-25.
  58. ^ Goodin, Dan (22 December 2022). "LastPass users: Your info and vault data is now in hackers' hands". Ars Technica. Retrieved 2022-12-22.
  59. ^ Sharwood, Simon. "LastPass admits attackers copied password vaults". Retrieved 2022-12-27.
  60. ^ Goodin, Dan (22 December 2022). "LastPass users: Your info and password vault data are now in hackers' hands". Ars Technica. Retrieved 2022-12-27.
  61. ^ "LastPass finally admits: Those crooks who got in? They did steal your password vaults, after all…". Naked Security. 23 December 2022. Retrieved 2022-12-28.
  62. ^ Palant, Wladimir (2022-12-26). "What's in a PR statement: LastPass breach explained". Almost Secure. Retrieved 2022-12-28.
  63. ^ Kan, Michael. "LastPass Faces Class-Action Lawsuit Over Password Vault Breach". PCMAG. Retrieved 2023-01-06.

External links[edit]