Breaking
2026: LastPass expands mission with Secure Access Essentials +100,000 businesses use LastPass worldwide 2024: LastPass completes spinoff from GoTo - now independent New: Mobile Smart Scanner turns a photo into a saved password Founded 2008 in a basement in Fairfax, Virginia Zero-knowledge: AES-256 encryption - even LastPass can't read your vault 2026: LastPass expands mission with Secure Access Essentials +100,000 businesses use LastPass worldwide 2024: LastPass completes spinoff from GoTo - now independent New: Mobile Smart Scanner turns a photo into a saved password Founded 2008 in a basement in Fairfax, Virginia Zero-knowledge: AES-256 encryption - even LastPass can't read your vault
Company Profile Cybersecurity Est. 2008

LastPass

The vault that started in a basement - now rebuilding what "secure access" means for 100,000+ businesses.

Password & Identity Management Boston, MA 800+ employees Independent since 2024
LastPass logo

The LastPass mark - the red vault icon recognized by tens of millions of users. Photographed as a studio object, plain and unadorned, the way Vincent Musi would frame a working tool that people trust with everything.


100k+
Business customers
2008
Year founded
$110M
LogMeIn acquisition, 2015
AES-256
Vault encryption
The Feature

One Password to Hold Them All

A password manager is a strange kind of product. You ask people to hand over every key they own, then promise you can't see any of them. LastPass has been making that promise - and living with its consequences - since 2008.

In April 2008, four developers crowded into the basement of Joe Siegrist's house in Fairfax, Virginia, and worked ten- to twelve-hour days on a problem that everyone had and almost no one discussed: people reuse the same weak password everywhere. By late summer the team - Siegrist, Robert Billingslea and Sameer Kochar among them - shipped a public beta of a browser extension that could remember, generate and fill in passwords. They called it LastPass, a bet on the idea that it could be the last password anyone would need to memorize.

The concept was simple; the engineering was not. LastPass stores every credential in an encrypted vault, unlocked by a single master password that never leaves the user's device. The company built its system around what security engineers call a zero-knowledge model: because encryption and decryption happen locally, LastPass itself cannot read the contents of a vault, even if compelled to. That architecture is the entire pitch. It is also the reason a breach of LastPass's own servers is not automatically a breach of your passwords - a distinction that would matter enormously years later.

What LastPass actually does

At its core, LastPass generates strong, unique passwords, saves them, and autofills them across websites and apps. It syncs across browsers and devices, stores secure notes and payment cards, shares credentials with family or teammates without exposing them in plain text, and layers on multi-factor authentication. For businesses it adds admin controls, single sign-on, user provisioning, a security dashboard and dark web monitoring. The free tier covers individuals; paid Premium and Families plans add monitoring and emergency access; Teams and Business plans serve organizations by the seat.

The customers span the full range. Solo professionals and households use the consumer plans. Small and mid-sized businesses - the company counts more than 100,000 organizations globally, including over 8,000 in Australia alone - lean on LastPass because they rarely have a dedicated security team and need password hygiene handled for them. At the time of its 2022 security incident, LastPass cited more than 25 million users.

The problems it solves

The problem LastPass addresses is human, not technical. People cannot remember dozens of strong, unique passwords, so they reuse a handful of weak ones - and a single leaked password becomes a skeleton key across a person's whole digital life. LastPass removes the need to remember anything but one master password, and quietly upgrades every login to something long and random. For businesses, it converts an invisible risk - employees storing credentials in spreadsheets, browsers and sticky notes - into something a small IT team can actually see and govern.

You can't secure what you can't see.

Karim Toubba, CEO, LastPass

The breach, and the reckoning

No account of LastPass is honest without the 2022 breach. Between August and October of that year, attackers first compromised a developer's laptop to steal source code and technical documentation, then used what they learned to target a DevOps engineer's home computer and reach cloud storage holding customer vault backups. In December 2022, Amazon confirmed a copy of the backup database had been downloaded. It contained unencrypted fields such as website URLs alongside fully encrypted fields - usernames, passwords, secure notes. Researchers later linked offline cracking of some stolen vaults to real thefts, and in 2025 LastPass settled a class-action lawsuit for $24.5 million.

The company's response is now part of its identity. It raised default encryption iteration counts, expanded encryption coverage, revoked and rotated credentials, added logging and alerting, and stood up a Threat Intelligence, Mitigation and Escalation team. Karim Toubba, who had taken over as CEO only months before the incident, chose to publish detailed post-mortems rather than minimize. The episode is a permanent line in the LastPass story - and a case study taught in security courses.

Independent again

LastPass has changed hands more than once. LogMeIn (later renamed GoTo) acquired it for $110 million in 2015. When private-equity firms Francisco Partners and Elliott Investment Management took GoTo private in 2020, LastPass came along. In December 2021 GoTo announced it would spin LastPass out as a standalone company, a process completed in May 2024. LastPass now operates independently, though it still shares its private-equity owners with GoTo. It runs an 800-person global workforce as a remote-first company - famously from only about 1,100 square feet of leased headquarters space in Boston.

Where it's heading

In 2026 LastPass began redefining itself. Under the banner "Secure Access Essentials," it is extending beyond password management into browser-based access governance: discovering the unapproved SaaS apps and AI tools employees use, applying policy to them, and simplifying sign-in through passwords, single sign-on and MFA - all delivered through the existing browser extension with no extra agent to install. Alongside it came Mobile Smart Scanner, which turns a photo of a typed or handwritten credential into a saved, autofillable vault entry, plus a new Mac desktop app and a modernized security dashboard. The through-line is Toubba's thesis that the browser is where work now happens, and visibility there is the new perimeter.

How it differs

The password manager market is crowded - 1Password, Bitwarden, Dashlane, Keeper and the free managers baked into Apple and Google ecosystems all compete for the same vault. LastPass's differentiation rests on breadth and reach: one of the largest installed bases in the category, deep small-business penetration, and a widening move into identity and access management rather than passwords alone. Its scars are also, paradoxically, part of its position - few competitors have documented a major incident and its remediation as publicly. Whether that transparency rebuilds trust faster than rivals win it is the open question the next few years will answer.


The Product Line

What You Can Actually Do With It

2008 · CORE

LastPass Free

Encrypted vault, password generator, autofill and cross-device sync for individuals - the free front door to the whole platform.

2017 · CONSUMER

Premium & Families

Adds dark web monitoring, emergency access, encrypted file storage and shared family folders for households.

2016 · BUSINESS

Teams & Business

Admin controls, SSO, MFA, user provisioning and a security dashboard for 100,000+ organizations.

2016 · MFA

LastPass Authenticator

Free one-tap and code-based multi-factor authentication app to verify logins.

2026 · PLATFORM

Secure Access Essentials

Browser-based discovery of SaaS & AI apps, access control and secure sign-in bundled into one extension.

2026 · MOBILE

Mobile Smart Scanner

Photograph a typed or handwritten credential and it becomes a structured, autofillable vault entry.

The Expertise

Eighteen years of building and defending one of the most-used credential vaults on the internet:

  • Zero-knowledge, AES-256 encryption architecture
  • Password, MFA, SSO and passwordless authentication
  • SaaS & AI app discovery and access governance
  • Post-incident security engineering and threat intelligence (TIME team)

The Password Manager Field

Illustrative brand-recognition weighting among major consumer password managers - relative, not market share

LastPass
LastPass
1Password
1Password
Bitwarden
Bitwarden
Dashlane
Dashlane
Keeper
Keeper

Directional illustration for reader orientation only - not audited market data. LastPass competes with 1Password, Bitwarden, Dashlane, Keeper and native managers from Apple and Google.


The Record

Eighteen Years, One Vault

2008

Founded in a basement

Joe Siegrist and co-founders launch LastPass in Fairfax, Virginia, releasing a browser-based password manager in public beta.

2010

Acquires Xmarks

LastPass buys the popular Xmarks bookmark-syncing extension, expanding its browser footprint.

2015

Acquired by LogMeIn

LogMeIn buys LastPass for $110 million, bringing it into a larger SaaS portfolio.

2016

Authenticator & business tier

LastPass releases its MFA app and expands into business password management.

2017

LastPass Families launches

A shared family plan brings vaults and shared folders to households.

2022

Major security breach

Attackers exfiltrate source code and a copy of the customer vault backup database in a two-stage incident.

2024

Becomes independent

LastPass completes its spinoff from GoTo, operating as a standalone cybersecurity company.

2026

Secure Access Essentials

LastPass expands its mission beyond passwords into browser-based SaaS/AI discovery, access control and secure sign-in.


Watch & Read

Demos, Interviews & More


Common Questions

LastPass, Answered

Is LastPass safe to use after the 2022 breach?
LastPass responded by raising default encryption iteration counts, expanding encryption, building a threat-intelligence team and improving logging. Vaults protected by a strong, unique master password remain encrypted with zero-knowledge, AES-256 encryption - but users affected by the breach were advised to rotate stored credentials.
Is LastPass still owned by GoTo?
No. LastPass completed its spinoff from GoTo in May 2024 and is now an independent company, though it shares private-equity owners (Francisco Partners and Elliott Investment Management) with GoTo.
Does LastPass have a free plan?
Yes. LastPass offers a free personal tier with an encrypted vault, password generator, autofill and cross-device sync, alongside paid Premium, Families, Teams and Business plans.
What is Secure Access Essentials?
Announced in 2026, it's a browser-based bundle that adds discovery of unapproved apps and AI tools, access control across users, and simplified secure sign-in (password management, SSO and MFA) - extending LastPass beyond password management.
Can LastPass see my passwords?
No. LastPass uses a zero-knowledge model in which your master password and encryption keys never leave your device, so the company cannot read the contents of your vault.

Share this profile

Spread the story of the vault that started in a basement

Sources & further reading