Most data breaches are a bad week. Maybe a bad month if the press picks it up. The company issues an apology, offers free credit monitoring, and everyone moves on. The LastPass breach is not that. It has become something closer to a permanent condition, one that is still unfolding more than three years after the initial attack with no end in sight. If you are here because you searched “is LastPass safe,” the short answer is no. The long answer is worse.
In August 2022, attackers compromised a LastPass developer’s machine through social engineering. Not a zero-day exploit. Not some sophisticated nation-state attack chain. Social engineering — one of the oldest tricks in the book. They called somebody, or tricked somebody, and got in. From that foothold they moved into the development environment and eventually made it to backup storage, where they stole encrypted copies of customer password vaults. Not metadata. Not email addresses. The actual vaults containing every password, every login, every secure note that millions of users had entrusted to LastPass. The crown jewels, all of them, in one haul.
How many vaults? About 30 million. Thirty million encrypted vaults, downloaded in bulk by attackers who now had all the time in the world to work through them. And it was not just the encrypted stuff. LastPass confirmed that unencrypted data came along for the ride too: customer names, email addresses, billing addresses, partial credit card numbers, and the URLs of every website stored in each vault. So before cracking a single vault, the attackers already knew who you are, where you live, how to reach you, and which services you use. That is a staggering amount of intelligence just sitting there unencrypted next to the vaults.
LastPass told users not to worry. The vaults were encrypted with AES-256. Cracking them would be virtually impossible. Strong master passwords meant you were safe, even with the vaults in enemy hands.
They were wrong.
The problem with stealing encrypted vaults is that there is no clock running against you. No server keeping you out. No rate limiting. No lockout after ten failed attempts. You just download the vault and start guessing master passwords on your own hardware, at your own pace, with whatever tools you have. And every year the tools get better and the hardware gets cheaper. That is exactly what happened.
Blockchain analytics firm TRM Labs started tracking cryptocurrency thefts linked to cracked LastPass vaults in 2023. By the end of 2025, they had traced roughly $35 million in stolen crypto, with on-chain indicators pointing to Russian cybercriminal actors laundering the funds through Cryptex (sanctioned by OFAC in 2024) and Wasabi Wallet. TRM Labs said themselves that their figure was likely only a fraction of the real total.
They were right about that. In March 2025, U.S. federal agents confirmed that a $150 million cryptocurrency heist, one that hit Ripple co-founder Chris Larsen in January 2024, was linked to the same 2022 LastPass breach. Federal prosecutors in northern California seized about $24 million in clawed-back crypto. Same playbook every time: crack the master password, open the vault, find the crypto seed phrases in Secure Notes, drain the wallets. A single breach in 2022, still generating nine-figure paydays in 2025. The stolen vaults do not expire. The passwords inside do not rot. The attackers have forever.
LastPass, for its part, said it has seen “no definitive proof” the cyberheists were linked to its breach. The FBI, TRM Labs, and federal prosecutors disagree. The UK’s Information Commissioner’s Office did not seem convinced either; they fined LastPass £1.2 million for security failings that led to the breach. That fine looks almost comical next to $150 million in confirmed stolen crypto, but at least someone noticed.
And then there is the phishing. As if cracking vaults at leisure was not enough, attackers figured out that LastPass users are now a uniquely anxious population. In January 2026, a phishing campaign hit LastPass customers with emails designed to look like official maintenance notifications, urging users to “back up their vaults” within 24 hours. The emails linked to fake login pages hosted on Amazon S3 that redirected to a spoofed LastPass domain. The timing was deliberate: launched over a U.S. holiday weekend when staffing was low and response times were slow. LastPass confirmed it was real and disrupted the initial infrastructure. The attackers changed their links and sent another wave. This was the third such campaign targeting LastPass users in just a few months.
Think about the psychology here. You are a LastPass user. You know your vault was stolen. You have been reading about crypto thefts for two years. You are already nervous. Then an email arrives that looks official and tells you to take action immediately to protect your vault. Of course some percentage of people are going to click. Every master password harvested through phishing is a vault that does not even need to be cracked anymore. It just opens.
Then in February 2026, researchers at ETH Zurich and the Università della Svizzera italiana published what should have been the final nail. They found 25 critical vulnerabilities across three major cloud-based password managers: 12 in Bitwarden, 7 in LastPass, 6 in Dashlane. Over 60 million users affected. The big finding? That “zero-knowledge encryption” every cloud password manager markets as their core security promise? It can be bypassed if the central server is compromised. The researchers set up servers that behaved like compromised password manager infrastructure, tested what happens when the server deviates from expected behavior, and watched the zero-knowledge promise collapse.
The central server. The one that was already compromised in 2022. Let that sink in for a second. The researchers proved that the architecture these services are built on has fundamental problems: key escrow mechanisms that can be exploited, flawed item-level encryption, sharing features that compromise vault integrity, legacy code that enables downgrade attacks. The majority of their demonstrated attacks resulted in full password recovery. The encryption was never as strong as the marketing said. The “zero-knowledge” claim, the idea that the company cannot see your data even if they wanted to, turned out to be a marketing line more than an engineering reality.
And this is not just a LastPass story. In December 2022, the same month LastPass was disclosing breach details, Norton LifeLock discovered attackers using credential stuffing to break into nearly 925,000 password manager accounts. No special exploit needed. Just a list of reused credentials and a login page that did not lock them out fast enough. Norton could not rule out that attackers had accessed customer vaults. Different company, different vulnerability, same outcome: customer vaults potentially exposed because they were stored on someone else’s servers, protected by someone else’s infrastructure, vulnerable to someone else’s mistakes.
This is the core issue and it is not going away. When millions of vaults sit on one company’s servers, a breach is never just a moment in time. It is a permanent condition. Why would a criminal spend weeks trying to hack one person’s device when they can hack one company and get 30 million vaults in an afternoon? Centralized data is a centralized target. The payoff is massive because it is everyone’s data at once. And once that data is stolen, the damage compounds. Every year, better hardware. Every month, more cracked vaults. Every week, another phishing campaign fishing for master passwords.
That is the bet you make with a cloud-based password manager. You are betting that the company never has a bad day. That no employee ever falls for a phone call. That no server is ever misconfigured. That no legacy code ever introduces a hole. That every single link in the chain holds, forever. The LastPass breach proved that bet is a losing one. ETH Zurich proved it was structurally doomed from the start.
Stellar Password Manager was built on a different premise. Your data lives on your device, encrypted locally with your master password. There is no central server holding 30 million vaults in a single honeypot. There is no backup system an attacker can raid for a career-making jackpot. If someone wants your data, they need your device and your master password. The attack surface is one person, not 30 million.
And no, this is not some paranoid refusal to touch the cloud. Stellar works with cloud storage. You can back up and sync through iCloud, Google Drive, OneDrive, whatever your platform supports. The difference is how it gets there. Stellar accesses cloud storage through your platform’s native file system, the same way you would move any other file on your computer. We did not build cloud services. We did not spin up servers. There is no proprietary infrastructure on our end that can be compromised. Your data moves through systems you already control, using interfaces your operating system already provides. On iOS, Android, Windows, it does not matter. The platform bridges that boundary, not us.
That distinction matters more than it sounds like it should. When a cloud password manager gets breached, the attacker gets access to the company’s infrastructure and everything sitting on it. When your data lives on your device and syncs through your own accounts, there is no company infrastructure to breach. An attacker would need to compromise your personal device or your personal cloud account, and that is a fundamentally different proposition. One person’s vault is a terrible return on investment for a criminal. Thirty million vaults behind a single door is a career.
We are not going to stand here and claim local storage is invincible. Nothing is. But the math is different when your architecture was designed around offline from the beginning, not when offline was bolted on later as a feature. Stellar was built this way from day one. Your data is yours. Where it goes is your call. And nobody is storing 30 million copies of it on a server somewhere, waiting for the next social engineering phone call to swing the vault door open.
Is LastPass safe? Thirty million vaults stolen. Over $150 million in crypto drained from cracked vaults. Ongoing phishing campaigns targeting an anxious user base. Academic proof that the encryption architecture was flawed from the start. This is not a breach anymore. It is a condition, an ongoing state of compromise that started in 2022 and shows no signs of ending.
LastPass is not the exception. It is the inevitable result of putting everyone’s secrets behind one door and hoping nobody finds the key. The door was found in 2022. People are still paying for it in 2026. We think there is a better way.
Sources: TRM Labs blockchain analysis (Dec. 2025); Krebs on Security federal investigation reporting (Mar. 2025); ETH Zurich & USI password manager security study (Feb. 2026); LastPass official breach disclosures (2022–2026); LastPass phishing campaign alerts (Jan. 2026); Norton LifeLock credential stuffing disclosure (Jan. 2023); UK Information Commissioner’s Office enforcement action (Dec. 2025); FBI IC3; U.S. Department of Justice cryptocurrency seizure filings.