My password manager was breached — what do I do now

Breaches vary significantly in what they expose. The questions that determine your risk:

• Was vault content taken, or only metadata? — The 2022 LastPass breach took encrypted vault backups alongside unencrypted URL metadata. If only billing or account data was exposed, your credentials are likely unaffected
• What was your master password iteration count? — Older LastPass accounts had PBKDF2 iteration counts as low as 1. A short or reused master password on a low-iteration account is at real risk of offline brute-force. Modern defaults (600,000+ iterations, Argon2id) buy significant time
• What was in your vault? — Banking credentials, email access, and work accounts are the priority. Streaming service logins are not. Triage by consequence, not alphabetically
• Was URL metadata exposed? — Even if passwords remain encrypted, exposed URLs tell an attacker every service you have accounts on. This enables targeted phishing against those specific services

The structured response: assess what was taken → identify your highest-consequence accounts → change those first → then work through the rest systematically over days, not hours.

• Passwords already in an attacker's hands cannot be recalled — changing them is the only remediation. A new password manager doesn't retroactively protect what was already exposed
• URL metadata exposure is permanent — if the list of sites you use has been taken, that information exists in attacker infrastructure regardless of what you do next. The mitigation is monitoring those accounts for suspicious activity
• Switching managers in a panic produces new risks — rushed exports in plaintext, importing to an unverified service, weak master passwords chosen under stress. A controlled migration the day after is safer than a chaotic one in the same hour
• If your master password was reused elsewhere, those accounts are exposed independently of any vault encryption — change it everywhere it was used

The goal after a breach is containment and priority ordering, not completeness at speed. Changing 10 critical passwords correctly is more valuable than changing 200 passwords under panic conditions.

Bitwarden is the most common destination after a breach. The migration path is well-documented, the import supports most major vault formats including LastPass CSV, and the architecture is fully open-source and audited. The free tier covers everything most users need. If your reason for leaving is 'I want to be able to verify the code myself,' Bitwarden is the answer.

Proton Pass fits if the 2022 LastPass incident — specifically the unencrypted URL metadata — changed what you need from a password manager. Proton Pass encrypts every field including URLs and titles. It is the architectural response to exactly that failure mode. The migration process is straightforward; the free tier is unlimited.

Keeper fits if you are migrating for an organisation rather than personally, particularly in a regulated environment. The import tooling is strong, emergency access is well-implemented, and the compliance certifications (FedRAMP, ISO 27001) may be relevant if your breach had organisational implications.

Dashlane fits if the breach response you want includes ongoing dark web monitoring as part of the same subscription. The import from LastPass is supported. The monitoring scans 20 billion breach records and will alert on credentials that appear in future incidents — relevant if the breach left you wanting earlier warning next time.

Bottom line

Bitwarden for most people who want a clean, auditable restart. Proton Pass if URL metadata exposure was the specific failure that shook your trust. Keeper if the migration involves an organisation. Don't migrate under panic — export first, breathe, then move.