Over the last few years, the password manager LastPass has rethought its entire approach to security and implemented new measures to protect its consumers. Now, the company is emerging from a crisis with a rebuilt security infrastructure and a renewed mission to preserve the data of its users—and their trust—moving forward.
“We have been relentlessly working to transform nearly every facet of our organization,” LastPass CEO Karim Toubba said last year of the company’s multi-million-dollar investment in security. LastPass overhauled its security infrastructure, and revamped its approach to communication with customers in order to restore trust among the millions of people, and thousands of businesses, who use the company to store their sensitive data.
In August 2022, news broke that the company suffered two back-to-back data breaches: attackers had infiltrated the company’s backup database by targeting an employee, and were able to access customer information, like encrypted password vaults.
The encrypted vaults were protected by a user’s master password, which LastPass doesn’t store or know due to its zero-knowledge infrastructure, but the incident shook the confidence of customers—and instantly catalyzed LastPass executives to rethink security from the ground up.
From implementing new secure procedures to establishing a public-facing Compliance Center and investing in a new security team, LastPass is embracing a security-first position—one decisive step at a time.
Doubling Down on Security
The first step LastPass took after the incident was becoming an independent company. It finalized its separation from its parent company in 2024 and hired new cybersecurity experts to its executive team. They created a threat intelligence team that proactively monitors, detects, and responds to potential threats.
The company rewired its DNA to make security the foundation of its culture. This “security-first” mindset now drives every decision and innovation. The overhaul was sweeping: migration to a secure cloud platform, development of new software, and deployment of advanced security tools—reinforced by rigorous processes and a complete rearchitecture of its tech stack. LastPass was able to turn a vulnerability into resilience.
These efforts enabled LastPass to maintain key independent, third-party certifications that consumers expect, like SOC2 Type 2 and ISO 27001 and 27701 among others. LastPass already used zero-knowledge security architecture—where data can only be decrypted by the user, and not by the service provider—which helped mitigate the consequences of the incident. It’s since expanded encryption beyond the password vaults themselves to include additional information, like URLs.
A Renewed Approach to Transparency
To offer visibility into security changes happening internally, LastPass established a Compliance Center where the public can see near real-time compliance monitoring, new policies, audit results, and documentation of current certifications.
The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team produces educational content, and publishes a weekly report on key findings—from cybersecurity trends to explainers on emerging threats.
“Transparency has been our guiding principle because trust is built on clarity, not assumptions,” said Toubba. “When we rebuilt LastPass, we didn’t just strengthen our infrastructure—we opened the process to the market. We made sure the world could see what we were doing and why.”
An Opportunity for Innovation: Protection for Small Businesses and Lean IT Teams
To do their jobs, employees often need to log into different SaaS applications and AI tools throughout the day. They might be sharing passwords with their coworkers or even third parties. They’re almost certainly using AI to help with tasks—some 40% of workers say they’ve shared “sensitive work information” with AI. Since 88% of web app breaches involve stolen credentials, this creates multiple opportunities for something to go wrong.
While large enterprises are more likely to have complex identity-access systems, smaller organizations and organizations with lean IT or security teams also need tools that are easy to deploy and still meet compliance demands.
With robust, scalable protection, LastPass offers security features tailored to help smaller organizations stay safe and efficient. This helps empower lean teams to deliver secure access as work becomes more distributed, SaaS app adoption rapidly expands, and AI introduces new risks. It centralizes credential management for IT administrators, identifies unused or unapproved apps, provides a simple way to block or allow access, and streamlines the employee onboarding and offboarding processes.
LastPass also added a new product feature, phishing-resistant passkeys, which are safer than even a long, randomized password. Customers can now create, store, and manage passkeys alongside their passwords, in their LastPass vault.
Looking Toward the Future
Security threats—especially for password managers—are omnipresent, but Toubba is optimistic about the future.
“Rebuilding security was only the beginning,” he said. “We’ve invested in people, processes, and technology to create a foundation that not only protects our customers today but anticipates the challenges of tomorrow. Security is never static, and neither are we.”