LastPass has agreed to pay $8.2 million to settle a class action lawsuit stemming from its 2022 data breach that exposed the encrypted password vaults of over 25 million users. The breach was one of the most significant cybersecurity incidents in recent years because attackers gained access to the very tool people used to protect their most sensitive credentials. Claims are now open for affected users.
Browse all open class action settlements on OpenClassActions.com.
Status: Settlement Approved — Claims Open
What Happened in the Breach?
In August 2022, LastPass disclosed that an unauthorized party gained access to portions of its development environment. At first, LastPass described the incident as limited and said no customer data was compromised. But in December 2022, the company revealed that the breach was far worse than initially reported.
The attackers had used information stolen from the first breach to access LastPass’s cloud storage, where they copied backup files containing encrypted password vaults for millions of users. Each vault contained usernames, passwords, secure notes, and form-fill data — essentially every credential the user had stored in LastPass.
While the vaults were encrypted with each user’s master password, security researchers warned that users with weak master passwords were at serious risk. Attackers could use brute-force techniques to crack shorter or simpler master passwords and access everything inside the vault. In the months following the breach, multiple reports linked cryptocurrency thefts totaling millions of dollars to LastPass vault data.
Who Is Eligible for the Settlement?
The settlement class includes all U.S. residents who had a LastPass account at the time of the 2022 breach. This covers both free-tier users and paid subscribers. You do not need to prove that your data was specifically misused — if you had an account during the breach, you are a class member.
Claimants can seek reimbursement for out-of-pocket expenses related to the breach, including costs for credit monitoring, time spent changing passwords across multiple sites, and documented losses from fraud or identity theft connected to the breach. The settlement also provides credit monitoring services for class members.
Lessons From the LastPass Breach
The LastPass breach is a cautionary tale about trusting all your credentials to a single service. Password managers are still considered one of the best tools for online security, but this incident highlighted the catastrophic risk when the password manager itself gets compromised. Security experts recommend using a strong, unique master password of at least 16 characters, enabling multi-factor authentication on your password manager, and periodically auditing which credentials you store.
For anyone still using the same passwords they had in their LastPass vault during the breach, the safest course of action is to change all of those passwords immediately, especially for banking, email, and cryptocurrency accounts.
Find more open class action settlements on OpenClassActions.com.
This article is for informational purposes only and does not constitute legal advice. The information presented is based on publicly available court records and news reports. Written by Steve Levine for OpenClassActions.org.