We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.
An email is also being sent to all users regarding this security incident. We will also be prompting all users to change their master passwords. You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites.
Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.
Security and privacy are our top concerns here at LastPass. Over the years, we have been and continue to be dedicated to transparency and proactive measures to protect our users. In addition to the above steps, we’re working with the authorities and security forensic experts.
We apologize for the extra steps of verifying your account and updating your master password, but ultimately believe this will provide you better protection. Thank you for your understanding and support.
Joe Siegrist
& the LastPass Team
Frequently Asked Questions
Why haven’t I been notified by email? Emails are being sent to all users regarding the security incident. While this takes a bit longer than posting on the blog, we are working to notify users as fast as possible.
Do I need to change my master password right now? LastPass user accounts are locked down. You can only access your account from a trusted IP address or device – otherwise, verification is requested. We are confident that you are safe on your LastPass account regardless. If you’ve used a weak, dictionary-based master password (eg: robert1, mustang, 123456799, password1!), or if you used your master password as the password for other websites you need to update it.
Recent Bluessky Posts- Any DOJ settlement that gives the President a dollar -- or a direct material benefit -- is a plain-as-day violation of the Presidential Emoluments Clause: "The President shall not receive ... any other Emolument from the United States, or any of [the states]." Art II, S.1, cl. 7. May 20, 2026 Jed H. Shugerman
- It cannot bind, because you cannot rely to your detriment on a promise you make to yourself. The document itself is an unconstitutional violation of the presidential oath. May 19, 2026 James Grimmelmann
- Historian here this is literally about gutting the Reconstruction amendments especially the consequential 14th amendment piece by piece. May 19, 2026 Manisha Sinha
- Jotwell Contracts: Orit Gan, Ordinary Contract Law, JOTWELL (May 19, 2026) (reviewing Cathy Hwang & Justin Weinstein-Tull, Contract Law and Civil Justice in Local Courts, 2026 Wis. L. Rev. 1 (2026)), contracts.jotwell.com/ordinary-con.... May 19, 2026 Jotwell
- Jotwell Courtslaw: Suzette M. Malveaux, Resilience and Judicial Power in the Aftermath of Trump v. CASA, JOTWELL (May 18, 2026) (reviewing Mila Sohoni, In CASA You Missed It, 78 Stan. L. Rev. ___ (forthcoming 2026), available at SSRN (Nov. 25, 2025)), courtslaw.jotwell.com/resilience-a.... May 18, 2026 Jotwell
