Back in 2022, LastPass suffered a massive data breach: attackers gained access to vault data. Millions of dollars in stolen cryptocurrency have been attributed to the leak—losses big enough to prompt class-action lawsuits against the company, which were consolidated into a single suit.
Recently, LastPass agreed to a proposed settlement of almost $25 million. But not all users qualify for the same benefits. Here’s what you need to know.
What is the LastPass settlement?
Between August and November 2022, an attacker infiltrated LastPass’s backup servers and stole both encrypted and unencrypted data. Some affected users later reported losses from cryptocurrency wallets. Multiple class-action lawsuits were filed and later consolidated as a single lawsuit in Massachusetts.
LastPass has chosen to settle the case, while admitting to no misconduct. When asked about the lawsuit, a representative said:
“While we continue to deny the alleged claims, we have agreed to a settlement to avoid the ongoing distraction and uncertainty of protracted litigation. Our focus remains on serving our customers, and over the last three years we have made substantial investments across our people, processes and technology, so that we can continue to build and keep trust in LastPass.”
What are the LastPass settlement terms?
The proposed settlement offers different benefits depending on the type of affected user, with some entitled to a higher payout related to the impact of the breach.
I highly recommend reading the settlement website’s FAQ to understand the full terms of the settlement, which contain caveats around filing claims. But for those who want a quick rundown, here’s the overview:
“In-kind relief”
LastPass will offer the following specific non-monetary compensation due to the breach:
- All LastPass users are entitled to Dark Web monitoring services.
- Free LastPass users at the time of the breach will receive a complimentary premium subscription for six months.
“Settlement Fund Benefits”
These cash payouts will come from an $8.2 million fund and start at a minimum $25 payment. If you elect to take the $25 payment, you cannot file for an ordinary or extraordinary loss payout.
Those with documented “ordinary” losses can claim up to $300—basically, a reimbursement for money spent on services to help protect an online identity or mental health. (The settlement website describes these as “credit monitoring, identity protection, identity restoration, dark web monitoring, security, physical or behavioral health services.”)
Those with documented “extraordinary” losses can claim up to $10,000. This level of payout is meant to compensate “identity theft, fraud, or similar losses” that can be linked back to the 2022 data breach. If a user qualifies for both ordinary loss and extraordinary loss payments, they may file claims for both.
California residents may claim a $100 payment related to California Consumer Privacy Act (“CCPA”) statutory damages, on top of the $25 statutory payment or the ordinary/extraordinary loss cash payment.
Actual payout amounts may be adjusted when the settlement is finalized, depending on the number of claimants and final attorney fees.
“Crypto pool benefits”
These cash payouts will come from a $16.25 million fund and are specifically for users who suffered cryptocurrency losses. Qualified claimants may seek both settlement fund benefits and crypto pool benefits.
Those with approved claims can receive up to $900,000 in compensation for the breach. Actual payments may be adjusted depending on the final attorney fees and number of claimants.
Who qualifies for the LastPass settlement?
The LastPass settlement defines those included in the settlement class as:
“[A]ll natural persons residing in the United States, as well as all companies, entities, and organizations registered to do business in the United States, whose LastPass accounts were allegedly compromised, extracted, copied, stolen, or otherwise exposed as a result of the 2022 LastPass Data Security Incident, and whose accounts contained data at the time of the Incident.”
Has LastPass begun notifying affected users?
Yes, affected users should receive an email from [email protected] with a unique identifier for use in filing a claim. (Not sure if the email address you see is truly from this sender? Check the email’s message header or message details for routing details—e.g., the “Check original” option in Gmail.)
PCWorld
This message should also summarize the lawsuit and settlement, list the settlement benefits and claim due date, describe your options for dealing with the settlement, and contain the following key information:
- A unique identifier + PIN code assigned by the settlement administrator
- The settlement’s official website URL (www.LastPassSettlement.com)
- The settlement’s official phone number (1-877-748-1875)
This contact information has been confirmed by a LastPass representative.
What if I’m not sure I qualify for the LastPass settlement?
A representative for LastPass says to contact the settlement administrator, which you can do through email, phone, or traditional mail:
Email: [email protected]
Phone: 1-877-748-1875
Mail:
LastPass Data Security Incident Litigation
Settlement Administrator
P.O. Box 2230
Portland, OR 97208-2230
Where do I file a LastPass settlement claim?
Head to www.lastpasssettlement.com/Login.
Tip: Set aside time to read through the claim instructions before preparing your documentation for any ordinary or extraordinary losses, or for the crypto pool benefits. Unlike other class-action settlements, the LastPass settlement is particular about what counts as valid documentation.
When is the deadline for LastPass settlement claims?
You should file by July 2, 2026.
Two other important dates happen one month before this claim deadline:
Opt-out date: June 2, 2026
(Applicable if you want to be excluded from the settlement class—e.g., so that you can take separate legal action against LastPass.)
Object to the settlement: June 2, 2026
(If you don’t like the terms of the settlement, or proposed attorney fees and expenses, you must file your objection by this date.)
The final approval hearing will happen on July 14, 2026. At that time, the court will decide if it will approve the proposed settlement, legal fees and costs of up to 35 percent of the settlement fund, service awards, and filed objections.
