Yes. The LastPass breach occurred on August 12, 2022, affecting 25 million records.

What data was exposed in the LastPass breach?

LastPass's 2022 breach exposed encrypted password vaults of 25 million users. Learn what was stolen and critical steps to protect yourself.

What should I do if I was affected by the LastPass data breach?

Check if your data was exposed using our free tool, change your passwords, enable two-factor authentication, and monitor your accounts for suspicious activity.

LastPass Data Breach

Critical Severity 25 million records affected Published February 10, 2026

Company	LastPass
Breach Date	August 12, 2022
Disclosure Date	December 22, 2022
Records Affected	25 million

In 2022, LastPass suffered a devastating two-stage breach that resulted in the theft of encrypted password vaults for approximately 25 million users. The breach began with a compromised developer account in August and escalated when attackers used stolen data to target a senior engineer's home computer.

What Happened

In August 2022, an attacker compromised a LastPass developer's account and stole source code and proprietary technical information. Using information from this first breach, the attacker then targeted one of only four senior DevOps engineers with access to decryption keys for cloud storage. The attacker exploited a vulnerability in Plex media software on the engineer's home computer to install a keylogger, capturing the master password needed to access LastPass's corporate vault. This gave the attacker access to encrypted backups of customer vault data stored in Amazon S3 buckets. The encrypted vaults could potentially be cracked with brute-force attacks if users had weak master passwords.

What Data Was Exposed

Encrypted password vaults (website URLs are unencrypted)
Email addresses
Billing addresses
Phone numbers
IP addresses used to access LastPass
Company names
Master password reminder hints
LastPass MFA settings

Who Is Affected

All LastPass users as of the time of the breach were affected, approximately 25 million users. Users with weak master passwords or those who did not update password iteration settings are at the highest risk of vault decryption. Subsequent cryptocurrency thefts totaling over $35 million have been linked to cracked LastPass vaults.

How to Check If You Were Affected

If you had a LastPass account in 2022, your encrypted vault was stolen. There is no way to check without assuming you are affected. Visit HaveIBeenPwned.com to confirm your email was in the breach. Immediately prioritize changing all passwords stored in your vault, especially for financial accounts and cryptocurrency wallets.

What You Should Do Now

Change your LastPass master password to a strong, unique passphrase (16+ characters)
Change EVERY password stored in your LastPass vault, prioritizing financial, email, and cryptocurrency accounts
Move cryptocurrency to new wallets with freshly generated seed phrases
Enable the strongest MFA option available on your LastPass account
Increase your password iterations (PBKDF2) to at least 600,000 in LastPass settings
Consider migrating to an alternative password manager
Enable MFA on all accounts that were stored in your vault

Last updated: February 10, 2026