Is LastPass still safe after the 2022 breach

The short answer requires context: LastPass is still a zero-knowledge password manager. Your passwords, if they were in the 2022 breach, are protected by AES-256 encryption and PBKDF2 key derivation. An attacker who obtained your vault backup still needs to crack your master password to access any credentials — which is computationally expensive if your master password was strong.

The longer answer acknowledges what is not safe: the URL metadata that was stored alongside the encrypted vault. Attackers obtained an unencrypted list of every website every affected user has accounts on. That data is out and cannot be recalled. For users with a weak master password — or accounts whose iteration counts were historically low — the risk window is broader.

Quick answer

Your master password was strong (12+ characters, not a dictionary word)

Your credential content is likely safe — but the list of sites you use was exposed; monitor those accounts for phishing

Your master password was weak or reused

Change it immediately and consider rotating passwords on your highest-value accounts; offline brute-force on stolen vault data is a real risk

You are deciding whether to stay or leave

Evaluate against your threat model — LastPass has remediated its infrastructure, but the architectural URL metadata gap was a design choice, not an incident

When it matters

Encrypted vault data — AES-256 encrypted credential content. Protected as long as the master password is not cracked
Unencrypted URL metadata — the list of websites each user has accounts on. This is permanently in attacker possession and cannot be reversed
Billing information and account metadata — email addresses, IP addresses, and billing details for some accounts
PBKDF2 iteration count disparity — legacy accounts had as few as 1 PBKDF2 iteration at the time of breach. Accounts with low iteration counts are disproportionately exposed to offline brute-force

When it fails

LastPass raised PBKDF2 iterations to 600,000 for all accounts post-breach and rebuilt compromised infrastructure — these are meaningful improvements
The URL metadata gap was not an oversight — it was an architectural decision made when the password was considered the only sensitive field. The fix would require re-architecting how metadata is stored, which LastPass has not done
Staying with LastPass means accepting that the list of your accounts is in attacker possession regardless of what LastPass does next

How providers fit

Staying with LastPass is a defensible choice if: your master password was strong, you are not in a high-sensitivity profession, and you have assessed the URL metadata exposure against your threat model and found it acceptable. The enterprise feature set is still competitive and the infrastructure has been rebuilt.

Leaving makes sense if: the URL metadata exposure changes your assessment of what you need from a password manager, your master password was weak, you work in a regulated sector where the breach history creates compliance concerns, or you were already considering a change and the breach is the catalyst.

If you are leaving, Bitwarden and Proton Pass are the most direct improvements. Proton Pass specifically addresses the URL metadata gap — the architectural gap that made the 2022 breach more damaging than a pure credential theft incident.

Bottom line

LastPass is not unusable after the breach — the credential encryption held. Whether it is right for you depends on your master password strength, your threat model, and whether URL metadata exposure is an acceptable risk. The breach was a demonstration of an architectural limitation, not a temporary infrastructure incident.

LastPass alternatives worth switching to Password managers that encrypt URL metadata My password manager was breached — what to do