A password manager is a strange kind of product. You ask people to hand over every key they own, then promise you can't see any of them. LastPass has been making that promise - and living with its consequences - since 2008.
In April 2008, four developers crowded into the basement of Joe Siegrist's house in Fairfax, Virginia, and worked ten- to twelve-hour days on a problem that everyone had and almost no one discussed: people reuse the same weak password everywhere. By late summer the team - Siegrist, Robert Billingslea and Sameer Kochar among them - shipped a public beta of a browser extension that could remember, generate and fill in passwords. They called it LastPass, a bet on the idea that it could be the last password anyone would need to memorize.
The concept was simple; the engineering was not. LastPass stores every credential in an encrypted vault, unlocked by a single master password that never leaves the user's device. The company built its system around what security engineers call a zero-knowledge model: because encryption and decryption happen locally, LastPass itself cannot read the contents of a vault, even if compelled to. That architecture is the entire pitch. It is also the reason a breach of LastPass's own servers is not automatically a breach of your passwords - a distinction that would matter enormously years later.
What LastPass actually does
At its core, LastPass generates strong, unique passwords, saves them, and autofills them across websites and apps. It syncs across browsers and devices, stores secure notes and payment cards, shares credentials with family or teammates without exposing them in plain text, and layers on multi-factor authentication. For businesses it adds admin controls, single sign-on, user provisioning, a security dashboard and dark web monitoring. The free tier covers individuals; paid Premium and Families plans add monitoring and emergency access; Teams and Business plans serve organizations by the seat.
The customers span the full range. Solo professionals and households use the consumer plans. Small and mid-sized businesses - the company counts more than 100,000 organizations globally, including over 8,000 in Australia alone - lean on LastPass because they rarely have a dedicated security team and need password hygiene handled for them. At the time of its 2022 security incident, LastPass cited more than 25 million users.
The problems it solves
The problem LastPass addresses is human, not technical. People cannot remember dozens of strong, unique passwords, so they reuse a handful of weak ones - and a single leaked password becomes a skeleton key across a person's whole digital life. LastPass removes the need to remember anything but one master password, and quietly upgrades every login to something long and random. For businesses, it converts an invisible risk - employees storing credentials in spreadsheets, browsers and sticky notes - into something a small IT team can actually see and govern.
The breach, and the reckoning
No account of LastPass is honest without the 2022 breach. Between August and October of that year, attackers first compromised a developer's laptop to steal source code and technical documentation, then used what they learned to target a DevOps engineer's home computer and reach cloud storage holding customer vault backups. In December 2022, Amazon confirmed a copy of the backup database had been downloaded. It contained unencrypted fields such as website URLs alongside fully encrypted fields - usernames, passwords, secure notes. Researchers later linked offline cracking of some stolen vaults to real thefts, and in 2025 LastPass settled a class-action lawsuit for $24.5 million.
The company's response is now part of its identity. It raised default encryption iteration counts, expanded encryption coverage, revoked and rotated credentials, added logging and alerting, and stood up a Threat Intelligence, Mitigation and Escalation team. Karim Toubba, who had taken over as CEO only months before the incident, chose to publish detailed post-mortems rather than minimize. The episode is a permanent line in the LastPass story - and a case study taught in security courses.
Independent again
LastPass has changed hands more than once. LogMeIn (later renamed GoTo) acquired it for $110 million in 2015. When private-equity firms Francisco Partners and Elliott Investment Management took GoTo private in 2020, LastPass came along. In December 2021 GoTo announced it would spin LastPass out as a standalone company, a process completed in May 2024. LastPass now operates independently, though it still shares its private-equity owners with GoTo. It runs an 800-person global workforce as a remote-first company - famously from only about 1,100 square feet of leased headquarters space in Boston.
Where it's heading
In 2026 LastPass began redefining itself. Under the banner "Secure Access Essentials," it is extending beyond password management into browser-based access governance: discovering the unapproved SaaS apps and AI tools employees use, applying policy to them, and simplifying sign-in through passwords, single sign-on and MFA - all delivered through the existing browser extension with no extra agent to install. Alongside it came Mobile Smart Scanner, which turns a photo of a typed or handwritten credential into a saved, autofillable vault entry, plus a new Mac desktop app and a modernized security dashboard. The through-line is Toubba's thesis that the browser is where work now happens, and visibility there is the new perimeter.
How it differs
The password manager market is crowded - 1Password, Bitwarden, Dashlane, Keeper and the free managers baked into Apple and Google ecosystems all compete for the same vault. LastPass's differentiation rests on breadth and reach: one of the largest installed bases in the category, deep small-business penetration, and a widening move into identity and access management rather than passwords alone. Its scars are also, paradoxically, part of its position - few competitors have documented a major incident and its remediation as publicly. Whether that transparency rebuilds trust faster than rivals win it is the open question the next few years will answer.