Can you trust LastPass in 2026? Inside the multimillion-dollar quest to rebuild its security culture

Follow ZDNET:Add us as a preferred sourceon Google.

---

ZDNET’s key takeaways

• LastPass’s CEO says the 2022 data breach has driven the company to greater security heights.
• The firm’s security standards are now “beyond what would normally be expected of a standard security program.”
• LastPass also says “security is at the very heart of what we do for the consumer.”

---

In an interview with ZDNET, Karim Toubba, the Chief Executive Officer of LastPass, said that the significant security incident that has dogged the firm’s footsteps since 2022 became “a forcing function to drive a lot of changes.”

What is LastPass?

Based in Boston, Massachusetts,LastPass is a security and identity management solutions provider known for its password management vault. Founded in 2008, the organization was acquired by GoTo (formerly LogMeIn) in 2015, then spun off as an independent outfit in2024.

2022 security incidents

If you are a company that provides privacy and security solutions to the general public and businesses, the last thing you want is to be embroiled in a data breach. Unfortunately for LastPass, this is what happenedin 2022.

In August of that year, an “unauthorized party” gained access to portions of the LastPass development environment via a compromised developer account and stole some of LastPass’s source code and technical data.

Also: How to lock down your iPhone to the extreme – so even the FBI can’t get in

It didn’t end there. Information stolen during this attackled to further compromise, including the theft of basic customer account information and related metadata — such as names, billing addresses, email addresses, telephone numbers, and IP addresses. Furthermore, a backup copy of customer vault data was accessed. Although encrypted, it was still accessed by an intruder who managed to steal a master password from a senior engineer’s home computer.

The security incident occurred in 2022, and so you might think that four years later, memories would have faded. However, the fallout from the data breach was the latest in a string of security concerns. When you associate a password manager with risk, it’s a long road to regain consumer trust.

The aftermath

Toubba’s arrival at LastPass in 2022 was followed by a steady stream of company-wide changes. With the very foundations of LastPass rocked by the data breach, Toubba told me that the firm has been “steadily at work” rebuilding from the ground up.

“I like to tell customers that it’s easier to tell them what hasn’t changed in the last three to four years than what has,” Toubba said.

Also: The best password managers of 2026: Expert tested

Changes focused on three areas: people, processes, and technology. Funds were poured into the application itself, the firm’s infrastructure, and a shift to the cloud. Security controls were implemented across each system.

Given the human factor’s centrality to the security incident, the new CEO also focused on assessing the security posture of employee devices.

“We significantly changed the technology stack of all of our employees, [such as] the security capabilities that are on their devices, and then issued new devices to all employees in the form of laptops that were completely locked down,” Toubba commented. “I’m a Mac user, and as an example, I can’t even go to the App Store with my Mac — I can only use corporate-sanctioned applications, which are focused and validated.”

Hardware authentication measures were rolled out across the board, such as YubiKey dongles.LastPass also overhauled its employee training program, formed a dedicated security team, and engaged third parties for ongoing security audits, including penetration testing.

The future of LastPass

LastPass has made a number of recent improvements, with new services appearing for both consumer and business markets. These include authentication controls to combat shadow SaaS and rogue AI application usage.

According to Toubba, LastPass will continue to balance its approach for both markets, and while there is value in managing credentials, there’s also “real value in gaining much broader visibility beyond credential management and the challenges [businesses] have.”

Also: The best antivirus software of 2026

Enhanced security practices, improvements under the hood, and increased transparency are all changes in the right direction, but are they enough to re-earn customers’ trust?

I asked Toubba why customers should trust LastPass now. This was his response:

“In business and in life, when you’re confronted with something pretty meaningful, you kind of have to ask yourself a question: what am I going to do? What’s my goal? Am I going to try and spin this, or am I going to use this as a forcing function for change?

“We did the latter. We made a multi-year, multi-million-dollar investment, and we went beyond what would normally be expected of a standard security program. We are proud of the exemplary work that does not just lead to being more secure, but leads us to leading within the industry of what leadership, transparency, and the sharing of information looks like. […] So, I would say the new and improved LastPass, if you will, is one that puts security at the very heart of what we do for the consumer.”