LastPass

A user's content in LastPass, including passwords and secure notes, is protected by one master password. The content is synchronized to any device the user uses the LastPass software or app extensions on. Information is encrypted with AES-256 encryption with PBKDF2 SHA-256, salted hashes, and the ability to increase password iterations value. Encryption and decryption takes place at the device level.{{cite web |title=The best way to manage passwords |url=https://www.lastpass.com/how-lastpass-works |accessdate=8 August 2018 |publisher=LogMeIn}}{{cite web |url=https://www.howtogeek.com/121267/11-ways-to-make-your-lastpass-account-even-more-secure/ |title=11 Ways to Make Your LastPass Account Even More Secure |last=Hoffman |first=Chris |date=9 August 2012 |website=How-To Geek}}

LastPass has a form filler that automates password entering and form filling, and it supports password generation, site sharing and site logging, and two-factor authentication. LastPass supports two-factor authentication via various methods including the LastPass Authenticator app for mobile phones as well as others including YubiKey.{{Cite web |url=https://www.pcmag.com/review/343276/lastpass-authenticator-for-iphone |title=LastPass Authenticator (for iPhone) |last=Eddy |first=Max |date=30 March 2016 |website=PCMag |publisher=Ziff Davis}}

Unlike some other major password managers, LastPass offers a user-set password hint, allowing access when the master password is missing.

On December 2, 2010, it was announced that LastPass had acquired Xmarks, a web browser extension that enabled password synchronization between browsers. The acquisition meant the survival of Xmarks, which had financial troubles, and although the two services remained separate, the acquisition led to a reduced price for paid premium subscriptions combining the two services.{{cite web |url=https://blog.lastpass.com/2010/12/lastpass-acquires-xmarks.html/ |title=LastPass Acquires Xmarks! |last=Gott |first=Amber |date=2 December 2010 |website=blog.lastpass.com |publisher=LogMeIn}}{{cite web |url=https://lifehacker.com/5704159/lastpass-acquires-xmarks-keeping-free-bookmark-syncing-plans-available |title=LastPass Acquires Xmarks, Keeping Free Bookmark-Syncing Plans Available |last=Purdy |first=Kevin |date=2 December 2010 |website=Lifehacker |publisher=Gizmodo Media Group}} On March 30, 2018, the Xmarks service was announced to be shut down on May 1, 2018, according to an email to LastPass users.{{Cite news |url=https://www.ghacks.net/2018/03/31/logmein-to-shut-down-xmarks-on-may-1-2018/ |title=LogMeIn to shut down Xmarks on May 1, 2018 |last=Brinkmann |first=Martin |date=1 April 2018 |work=Ghacks |archive-url=https://web.archive.org/web/20180401124824/https://www.ghacks.net/2018/03/31/logmein-to-shut-down-xmarks-on-may-1-2018/ |archive-date=1 April 2018 |url-status=live}}

On October 9, 2015, GoTo acquired LastPass for $110 million. The company was combined under the LastPass brand with a similar product, Meldium, which had already been acquired by GoTo.{{cite web |url=https://arstechnica.com/information-technology/2015/10/logmein-buys-lastpass-password-manager-for-110-million/ |title=LogMeIn buys LastPass password manager for $110 million |last=Brodkin |first=Jon |date=9 October 2015 |website=Ars Technica |publisher=Condé Nast}}{{cite web |url=https://techcrunch.com/2015/10/09/logmein-acquires-password-management-software-lastpass-for-110-million/ |title=LogMeIn Acquires Password Management Software LastPass For $110 Million |last=Perez |first=Sarah |date=9 October 2015 |website=TechCrunch |publisher=Oath Tech Network}}

On March 16, 2016, LastPass released LastPass Authenticator, a free two-factor authentication app.{{cite web |url=http://www.androidpolice.com/2016/03/16/lastpass-releases-its-own-2-factor-mobile-authenticator-app/ |title=LastPass Releases Its Own 2-Factor Mobile Authenticator App |last=Whitwam |first=Ryan |date=16 March 2016 |website=AndroidPolice |publisher=Illogical Robot}}

On November 2, 2016, LastPass announced that free accounts would now support synchronizing user content to any device, a feature previously exclusive to paid accounts. Earlier, a free account on the service meant it would sync content to only one app.{{cite web |url=https://blog.lastpass.com/2016/11/get-lastpass-everywhere-multi-device-access-is-now-free.html/ |title=Get LastPass Everywhere: Multi-Device Access Is Now Free! |last=Siegriest |first=Joe |date=2 November 2016 |website=blog.lastpass.com |publisher=LogMeIn}}{{cite web |url=https://www.theverge.com/2016/11/2/13490614/lastpass-makes-password-syncing-free |title=There's now one less excuse not to use a password manager |last=Kastrenakes |first=Jacob |date=2 November 2016 |website=The Verge |publisher=Vox Media}}

In August 2017, LastPass announced LastPass Families, a family plan for sharing passwords, bank account info, and other sensitive data among family members for a $48 annual subscription. They also doubled the price of the Premium version without adding any new features to it. Instead, some features of the free version were removed.{{Cite web |url=https://9to5google.com/2017/08/03/lastpass-families-plan-doubles-premium-option/ |title=LastPass announces pricing for 'Families' plan; doubles cost of Premium option |last=Maring |first=Joe |date=3 August 2017 |website=9to5Google}}

On December 14, 2021, GoTo announced that LastPass would be established as an independent company.{{cite web |url=https://www.logmein.com/fr/newsroom/press-release/2021/logmein-set-to-establish-lastpass-as-an-independent-cloud-security-company-amid-strong-market-demand |title=LogMeIn Set to Establish LastPass as an Independent Cloud Security Company Amid Strong Market Demand |date=14 December 2021 |publisher=LogMeIn |accessdate=11 October 2022}} The spin-off was completed in May 2024, with LastPass being directly controlled by Francisco Partners and Elliott Investment Management, the private equity firms that took GoTo private in 2020.{{Cite news |last=Chesto |first=Jon |date=May 2, 2024 |title=LastPass completes spinoff from GoTo |url=https://www.bostonglobe.com/2024/05/02/business/lastpass-spinoff-goto-talking-points/ |work=The Boston Globe}}

In March 2009, PC Magazine awarded LastPass five stars, an "Excellent" mark, and their "Editors' Choice" for password management.{{cite web |url=https://www.pcmag.com/article2/0,2817,2343562,00.asp |title=LastPass 1.50 Review |last=Rubenking |first=Neil |date=20 March 2009 |website=PCMag |publisher=Ziff Davis |archiveurl=https://web.archive.org/web/20090324052427/http://www.pcmag.com/article2/0%2C2817%2C2343562%2C00.asp |archivedate=24 March 2009 |url-status=usurped}} A new review in 2016 following the release of LastPass 4.0 earned the service again five stars, an "Outstanding" mark, and "Editors' Choice" honor.{{cite magazine |first=Neil |last=Rubenking |title=LastPass 4.0 Review |url=http://uk.pcmag.com/lastpass-40/504/review/lastpass-40 |magazine=PC Magazine |date=November 2, 2016 |accessdate=November 2, 2016}}

In July 2010, LastPass's security model was extensively covered and approved of by Steve Gibson in his Security Now podcast episode 256.{{cite web |url=https://twit.tv/shows/security-now/episodes/256 |title=Security Now 256: LastPass Security |last1=Gibson |first1=Steve |last2=Laporte |first2=Leo |date=10 June 2010 |website=TWiT.tv}} He also revisited the subject and how it relates to the National Security Agency in Security Now podcast episode 421.{{cite web |url=http://twit.tv/show/security-now/421 |title=Security Now 421: The Perfect Accusation |last1=Gibson |first1=Steve |last2=Laporte |first2=Leo |date=11 September 2013 |website=TWiT.tv}}

In October 2015 when GoTo acquired LastPass, founder Joe Siegrist's blog was filled with user comments voicing criticism of GoTo.{{cite web |url=https://arstechnica.com/information-technology/2015/10/logmein-buys-lastpass-password-manager-for-110-million/ |title=LogMeIn buys LastPass password manager for $110 million |last=Brodkin |first=Jon |date=9 October 2015 |website=Ars Technica |publisher=Condé Nast}} {{verify source |date=September 2019 |reason=This ref was deleted Special:Diff/901599535 by a bug in VisualEditor and later restored by a bot from the original cite located at Special:Permalink/901599335 cite #11 - verify the cite is accurate and delete this template. User:GreenC_bot/Job_18}} Web sites ZDNet, Forbes and Infoworld posted articles mentioning the outcry by existing customers, some of whom said they would refuse to do business with GoTo, and raised other concerns about GoTo's reputation.{{Cite web |url=https://www.zdnet.com/article/lastpass-bought-by-logmein-for-110-million/ |title=LastPass bought by LogMeIn for $110 million; ... outcry from LastPass users, some of whom say they refuse to do business with LogMeIn |date=2015-10-09 |website=ZDNet |access-date=2019-06-12}} {{verify source |date=September 2019 |reason=This ref was deleted Special:Diff/901599535 by a bug in VisualEditor and later restored by a bot from the original cite located at Special:Permalink/901599335 cite #13 - verify the cite is accurate and delete this template. User:GreenC_bot/Job_18}}{{Cite web |url=https://www.forbes.com/sites/abigailtracy/2015/10/09/lastpass-joins-logmein-but-not-everyone-is-thrilled-about-it/#259659855cad |title=LastPass Joins LogMeIn, But Not Everyone Is Thrilled About It |date=2015-10-09 |website=Forbes |access-date=2019-06-12}} {{verify source |date=September 2019 |reason=This ref was deleted Special:Diff/901599535 by a bug in VisualEditor and later restored by a bot from the original cite located at Special:Permalink/901599335 cite #14 - verify the cite is accurate and delete this template. User:GreenC_bot/Job_18}}{{Cite web |url=https://www.infoworld.com/article/2991412/logmein-acquires-lastpass-to-beef-up-identity-portoflio.html |title=LogMeIn acquires LastPass to beef up identity portfolio |date=2015-10-09 |website=InfoWorld |access-date=2019-06-12}} {{verify source |date=September 2019 |reason=This ref was deleted Special:Diff/901599535 by a bug in VisualEditor and later restored by a bot from the original cite located at Special:Permalink/901599335 cite #15 - verify the cite is accurate and delete this template. User:GreenC_bot/Job_18}}

In a 2017 Consumer Reports article commented LastPass a popular password manager (alongside Dashlane, KeePass, and 1Password), with the choice between them mostly down to personal preference.{{Cite news |url=https://www.consumerreports.org/digital-security/everything-you-need-to-know-about-password-managers/ |title=Everything You Need to Know About Password Managers |last=Chaikivsky |first=Andrew |date=7 February 2017 |work=Consumer Reports}} In March 2019, Lastpass was awarded the Best Product in Identity Management award during the seventh annual Cyber Defense Magazine InfoSec Awards.{{cite web |url=https://www.techfunnel.com/information-technology/lastpass-by-logmein-awarded-2019-infosec-recognition/ |title=LastPass by LogMeIn Awarded 2019 InfoSec Recognition |last=Shah |first=Megha |date=20 March 2019 |website=Tech Funnel}}

In June 2015, the LastPass team discovered and halted suspicious activity on their network. Their investigation revealed that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised; however, encrypted user vault data was not affected.{{cite web |url=https://arstechnica.com/security/2015/06/hack-of-cloud-based-lastpass-exposes-encrypted-master-passwords/ |title=Hack of cloud-based LastPass exposes hashed master passwords |last=Goodin |first=Dan |date=June 15, 2015 |website=Ars Technica |publisher=Condé Nast}}

In 2021, it was discovered that the Android app contained third-party trackers.{{Cite web |last=Anderson |first=Tim |date=25 February 2021 |title=1Password has none, KeePass has none... So why are there seven embedded trackers in the LastPass Android app? |url=https://www.theregister.com/2021/02/25/lastpass_android_trackers_found/ |access-date=31 August 2023 |website=The Register |language=en}} At the end of 2021, LastPass warned users that their master passwords were compromised.{{cite web |last1=Gatlan |first1=Sergiu |title=LastPass users warned their master passwords are compromised |url=https://www.bleepingcomputer.com/news/security/lastpass-users-warned-their-master-passwords-are-compromised/ |website=Bleeping Computer |access-date=28 December 2021}}

In August 2022, a hacker stole a copy of a customer database, and some copies of the customers' password vaults. The stolen information includes names, email addresses, billing addresses, partial credit cards and website URLs.{{cite web |last1=Goodin |first1=Dan |title=The number of companies caught up in recent hacks keeps growing |url=https://arstechnica.com/information-technology/2022/08/the-number-of-companies-caught-up-in-the-twilio-hack-keeps-growing/ |website=Ars Technica |access-date=2024-09-19 |language=en-us |date=26 August 2022}} Some of the data in the vaults was unencrypted, while other data was encrypted with users' master passwords. The security of each user's encrypted data depends on the strength of the user's master password, or whether the password had previously been leaked, and the number of rounds of encryption used. Details of the number of rounds for each customer was stolen. Some customer vaults were more vulnerable to decryption than others.{{cite web |last1=Clark |first1=Mitchell |title=Hackers stole encrypted LastPass password vaults, and we're just now hearing about it |url=https://www.theverge.com/2022/12/22/23523322/lastpass-data-breach-cloud-encrypted-password-vault-hackers |website=The Verge |access-date=2024-09-20 |language=en |date=23 December 2022}}

In November 2022, LastPass assured users that passwords stored with the service were still secure.{{Cite web |title=Lastpass says hackers accessed customer data in new breach |url=https://www.bleepingcomputer.com/news/security/lastpass-says-hackers-accessed-customer-data-in-new-breach/ |first=Sergiu |last=Gatlan |date=2022-11-30 |website=BleepingComputer |language=en-us}}

The customer data included customers' names, billing addresses, phone numbers, email addresses, IP addresses and partial credit card numbers, and the number of rounds of encryption used, multi-factor authentication (MFA) seeds and device identifiers. The vault data included, for each breached user, unencrypted website URLs{{efn|name=fn1}} and site names, and encrypted usernames, passwords and form data for those sites.

The threat actor first gained unauthorized access to portions of their development environment, source code, and technical information through a single compromised developer's laptop computer.{{cite web |last1=Toubba |first1=Karim |title=Notice of Recent Security Incident |url=https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/ |access-date=26 August 2022 |website=LastPass Blog}} LastPass responded by re-building their development environment and rotating certificates.{{cite web |last1=Toubba |first1=Karim |title=Security Incident Update and Recommended Actions |url=https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/ |website=The LastPass Blog |access-date=2023-03-05 |date=1 March 2023}} The actor, however, used the information to target and hack the computer of a senior DevOps engineer, and used a keystroke logger to obtain that engineer's master password. The actor then gained access to an encrypted corporate vault, which was shared between just four engineers. That vault contained keys to Amazon S3 "buckets" of the backups to customer files.{{cite web |last1=Goodin |first1=Dan |title=LastPass says employee's home computer was hacked and corporate vault taken |url=https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/ |website=Ars Technica |access-date=2023-02-28 |language=en-us |date=28 February 2023}} The actor obtained the user database of August 14, 2022, and several password vault backups taken between August 20 and September 16, 2022.{{Cite web |title=What data was accessed? - LastPass Support |url=https://support.lastpass.com/help/what-data-was-accessed |access-date=2023-03-05 |website=support.lastpass.com |language=en}}

Commentators expressed concerns that if a user's master password was weak or leaked,{{cite web |last1=Goodin |first1=Dan |title=LastPass users: Your info and vault data is now in hackers' hands |url=https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/ |website=Ars Technica |access-date=2022-12-22 |language=en-us |date=22 December 2022}} the encrypted parts of the customer's data could be decrypted.{{cite web |last1=Sharwood |first1=Simon |title=LastPass admits attackers copied password vaults |url=https://www.theregister.com/2022/12/23/lastpass_attack_update/ |website=www.theregister.com |access-date=2022-12-27 |language=en}} Initially, LastPass stated no action was necessary for the majority of its customers,{{cite web |last1=Toubba |first1=Karim |date=22 December 2022 |title=Notice of Recent Security Incident |url=https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/ |access-date=2022-12-22 |website=The LastPass Blog}} but other sources recommended changing all passwords and vigilance against possible phishing attacks.{{cite web |title=LastPass finally admits: Those crooks who got in? They did steal your password vaults, after all… |url=https://nakedsecurity.sophos.com/2022/12/23/lastpass-finally-admits-they-did-steal-your-password-vaults-after-all/ |website=Naked Security |access-date=2022-12-28 |date=23 December 2022 |archive-date=2022-12-28 |archive-url=https://web.archive.org/web/20221228195019/https://nakedsecurity.sophos.com/2022/12/23/lastpass-finally-admits-they-did-steal-your-password-vaults-after-all/ |url-status=dead }}

A class-action lawsuit was initiated in early 2023, with the anonymous plaintiff stating that LastPass failed to keep users' information safe.{{cite web |last1=Kan |first1=Michael |title=LastPass Faces Class-Action Lawsuit Over Password Vault Breach |url=https://www.pcmag.com/news/lastpass-faces-class-action-lawsuit-over-password-vault-breach |website=PCMAG |date=5 January 2023 |access-date=2023-01-06 |language=en}} Of particular concern in the lawsuit was the increased risk of the details being used in phishing attacks.

In September 2023, a potential link was made between the 2022 data theft and a total of more than $35 million in cryptocurrency that had been stolen from over 150 victims since December 2022. The link was made due the fact that almost all victims were LastPass users.{{Cite web |last=Weatherbed |first=Jess |date=2023-09-07 |title=LastPass security breach linked to $35 million stolen in crypto heists |url=https://www.theverge.com/2023/9/7/23862658/lastpass-security-breach-crypto-heists-hackers |access-date=2023-09-08 |website=The Verge |language=en-US}}{{cite web |title=Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach – Krebs on Security |url=https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/ |access-date=2024-09-20 |date=9 September 2023}} In 2025, a larger heist of $150 million was also linked to the 2022 data theft.{{cite web |title=Feds Link $150M Cyberheist to 2022 LastPass Hacks – Krebs on Security |url=https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks/ |access-date=2025-03-08}}

• List of password managers

{{notelist}}

{{Reflist}}

• {{Official website}}

{{Password managers}}

Category:Password managers

Category:Cryptographic software

Category:Nonfree Firefox WebExtensions

Category:Internet Explorer add-ons

Category:2008 software

Category:Google Chrome extensions

Category:Proprietary cross-platform software

Category:2015 mergers and acquisitions

Category:Private equity portfolio companies

Category:Corporate spin-offs