Disclosure: TheBestVPN is reader-supported. When you buy a VPN through links on our site, we may earn commissions. Learn more.

How Many Times Has LastPass Been Hacked?

Last updated:
How Many Times Has LastPass Been Hacked?

 

Key Takeaways

  • 7 documented breaches since 2011 – including encrypted vault backups stolen for every LastPass user.
  • $150 million in cryptocurrency theft has been linked to cracked 2022 LastPass vaults by federal investigators.
  • $24.5 million class action settlement agreed; claims remain open through July 2, 2026.
  • A 2025 ETH Zurich study revealed 7 new vulnerabilities, including a zero-knowledge encryption bypass.

The Story Behind the Numbers

LastPass is one of the world’s most widely used password managers, trusted by millions of users and more than 100,000 businesses. But its security record tells a troubling story. Since 2011, the platform has suffered at least seven documented security incidents – ranging from minor network anomalies to one of the most damaging breaches in cybersecurity history.

The 2022 breach stands apart from the rest. In two coordinated attacks, a single threat actor first compromised a developer’s laptop, then a senior employee’s home computer, ultimately walking away with encrypted vault backups belonging to every single LastPass user. In March 2025, FBI and U.S. Secret Service court filings linked a $150 million cryptocurrency heist to cracked LastPass vaults – stating they believe the theft originated from the 2022 breach, though LastPass disputes the connection. Separately, LastPass agreed to a $24.5 million class action settlement in November 2025, with claims open through July 2, 2026 – one of the largest password manager settlements on record.

Why This Data is Important

Password managers are built on one promise: your passwords are safer with us than anywhere else. Seven incidents in thirteen years puts that promise under serious scrutiny.

Most pre-2022 incidents involved leaked email addresses, authentication hashes, and browser extension vulnerabilities – serious, but recoverable. The 2022 breach was different in scale and consequence. Attackers didn’t just steal data. They stole encrypted copies of every user’s vault – along with names, email addresses, billing addresses, phone numbers, and the IP addresses used to access LastPass. The risk doesn’t end when you change your password. It stays alive for as long as your master password can be cracked offline – with no time limit and no lockout.

For anyone storing sensitive credentials online, this is a clear reminder: no single tool is breach-proof. Understanding how to hide your IP address and keeping sensitive credentials off cloud-based platforms are two practical steps anyone can take today.

Looking Ahead: Future Outlook

LastPass has rebuilt significant parts of its infrastructure since 2022, including raising PBKDF2 password hashing iterations to 600,000 and fully separating development and production environments. But a 2025 ETH Zurich study revealed seven new vulnerabilities – including a bypass of LastPass’s own zero-knowledge encryption claim. For users serious about protecting their privacy online, layering security tools and avoiding single points of failure remains the smartest approach.

Source & Methodology

Incident data was compiled from official LastPass Blog disclosures and cross-referenced across multiple sources. Each year’s incident is sourced individually: 2011, 2015, 2016, 2017, 2019, 2022 Incident 1, 2022 Incident 2. Settlement and cryptocurrency theft claims are sourced from Yahoo Tech and Krebs on Security.