Is LastPass Still Safe After the 2022 Breach?

What Exactly Happened in the LastPass 2022 Breach

In August 2022, attackers gained access to LastPass's development environment. This was initially disclosed as a relatively minor incident. Then, in December 2022, LastPass revealed the full picture was far worse.

The attacker used information from the August breach to target a LastPass DevOps engineer. Through this employee's home computer, they accessed a cloud storage environment containing encrypted customer vault backups. The attacker stole:

• Encrypted vault data (passwords, usernames, notes)
• Unencrypted metadata: website URLs you have stored, your LastPass username, billing address, and IP addresses
• Multi-factor authentication settings

Are You Still at Risk in 2025?

This depends on how strong your master password was at the time of the breach.

LastPass uses PBKDF2 with 100,100 iterations (now increased, but the stolen vaults used the old count for many older accounts). If your master password was weak or common, there's a real possibility attackers have already cracked it and have access to your stored passwords.

If your master password was long and truly random (16+ characters with mixed types), you are likely still safe — but the risk is not zero, and it grows over time as computing power improves.

Our Verdict: Should You Switch?

Yes, we recommend switching. Not because LastPass is definitively cracked, but because:

• The breach revealed serious security culture problems at LastPass
• Better alternatives exist at the same or lower price point
• The peace of mind alone is worth switching
• Bitwarden is free and arguably more trustworthy (open source)

Best LastPass Alternatives