The Vault Is Fine

I've spent a fair amount of time on this blog documenting what Bitwarden has been quietly doing to erode the trust that made them the default recommendation after LastPass started falling apart. That's a story about opacity and greed — price hikes buried in feature posts, a new M&A-specialist CEO they didn't announce, values language quietly rewritten in the dark. That's what I document in this series.

LastPass is a different category of problem entirely. And it's been on fire longer than they told you.

This week, LastPass sent users another breach notification. This one came through Klue, a market intelligence vendor whose platform integrates with Salesforce and Gong. Hackers got in and walked out with customer names, phone numbers, email and physical addresses, and support case data. LastPass is now recommending users stay alert for phishing and social engineering. The vaults weren't touched, they said — the same thing they always say.

2015: hackers obtained email addresses, password reminders, authentication hashes, and cryptographic salts. The vault was fine.

August 2022: a developer's laptop was compromised. Source code and technical information was stolen. LastPass told users the investigation was complete and there was "no evidence" of access to customer data or encrypted vaults. September 2022. Investigation done. Nothing to see here.

December 2022: four months later, LastPass disclosed that attackers had actually used that stolen technical access to reach cloud storage — and had walked out with encrypted vault backups covering roughly 30 million users. Also unencrypted names, billing addresses, email addresses, and phone numbers. The vaults were encrypted, they said. We'll come back to what that actually meant in practice.

June 2026: supply chain breach through Klue. Customer contact info and support case data. The vault wasn't touched.

Here's the part LastPass would prefer you stay vague on.

The 2022 breach didn't just leak your name and email. The attackers walked out with encrypted vault backups for tens of millions of users — offline. No rate limiting. No lockouts. No alerts firing on their end. Just unlimited time and computing power to guess master passwords until something cracked open.

How hard is that to crack? Depends on two things: the strength of your master password, and how many iterations of PBKDF2 LastPass used to derive your encryption key.

On the first: LastPass required a minimum of 12 characters. "Abcdefghijk1" qualifies. A lot of people met the minimum and called it done.

On the second: this is where it gets genuinely damning. LastPass's default iteration count for years was 5,000. Security researcher Wladimir Palant had been flagging this as dangerously low since at least 2018. LastPass bumped the default to 100,100 iterations. But they never migrated existing accounts. They knew about the weakness, updated the defaults for new users, and left every long-term customer sitting on whatever count they'd had at signup. Some accounts were at 500. Some were at 1. At 1 iteration, the vault data might as well be in plain text.

Even 100,100 iterations drew sharp criticism from security researchers who called it the absolute minimum that could be considered secure — not strong, not robust, the floor. The NIST recommendation was 600,000. And PBKDF2 has a structural problem that compounds all of this: unlike modern alternatives like Argon2, it runs efficiently on GPUs and specialized hardware. Which is exactly what a threat actor with a stolen database full of vault backups is going to use.

LastPass did notify users. Eventually. Here's how that timeline actually went.

August 2022: breach detected. Development environment. Source code stolen. Not great, but contained, they said.

September 2022: investigation complete. "No evidence" of access to customer data or encrypted vaults.

December 2022: four months after the initial breach, LastPass disclosed that the vaults had actually been taken. And in that same disclosure, they described their 100,100 PBKDF2 iterations as a "stronger-than-typical implementation" — at the precise moment security researchers were calling that number the bare minimum. Their advice was that the threat actor may attempt to brute force master passwords, and that users might want to consider changing their passwords if they felt like it. The communication was so thoroughly downplayed that many users never fully grasped that their entire vault had been physically taken. Not accessed. Taken. Sitting on someone else's server, being methodically worked through at whatever pace modern hardware allows.

Since we're talking vault architecture, it's worth putting the options on the table — because not all password managers carry the same risk if their servers get hit.

1Password uses a two-secret model: your master password combined with a 128-bit Secret Key that's generated on your device at account creation. The Secret Key never leaves your device and 1Password never has a copy of it. A stolen 1Password vault backup is nearly useless to an attacker — brute-forcing the master password alone gets them nothing without that second key.

Dashlane uses Argon2 as its key derivation function — memory-hard and specifically designed to resist GPU-based cracking. Crucially, in 2018 when they moved from PBKDF2 to Argon2, they automatically migrated every existing customer — not just new signups. Everyone. That single decision puts them in a categorically different posture from LastPass, who updated their defaults and left long-term users to fend for themselves. Worth noting: Dashlane was actually hit in late May 2026. On May 31st, attackers launched a brute-force campaign against their 2FA device registration flow, trying to register unauthorized devices on existing accounts. Dashlane's automated systems locked targeted accounts immediately, they published a full security advisory on June 1st, and had the investigation closed with full details posted by June 4th. Affected vaults: fewer than 20, with every one of those users notified directly. Twenty vaults with a full public advisory inside four days, versus thirty million vaults and four months before LastPass admitted the backups were even taken. That gap is the whole story.

Bitwarden — and by extension Vaultwarden, which is what I run — uses the same single-secret model as LastPass. Master password only, no separate device key. But the algorithm story is meaningfully different. Bitwarden now supports both 600,000-iteration PBKDF2 and Argon2id, and in their 2026 release they started auto-migrating accounts below the iteration threshold — pushing users toward stronger settings rather than waiting for them to notice. Still a single secret, so a stolen vault is theoretically attackable. But with Argon2id, you're talking about a dramatically harder problem than whatever iteration count a LastPass account from 2014 was sitting on.

The rough hierarchy if a vault backup gets stolen: 1Password sits at the top — two secrets required, neither held by the company. Dashlane is strong — GPU-resistant algorithm, proactive migrations, and a recent incident they handled transparently and fast. Bitwarden/Vaultwarden is solid if you're on Argon2id or 600k iterations, and they're actively moving users there. LastPass is at the bottom — single secret, historically weak iterations, never migrated existing users, and the one that's actually been breached at scale.

This isn't history. The 2022 vault backups are still being cracked.

TRM Labs traced over $35 million in cryptocurrency theft directly to cracked LastPass vaults — and noted explicitly that $35 million is likely only a fraction of actual losses. The thefts came in distinct waves: $28 million tracked through late 2024 and early 2025, another $7 million in September 2025. Funds were still flowing through Russian exchanges as recently as October 2025. Three years after the breach. Still going.

Federal prosecutors linked a $150 million cryptocurrency heist — tied to Ripple co-founder Chris Larsen — to cracked LastPass vault data from 2022. The FBI and Secret Service investigated and found no evidence of phishing or malware on the victim's devices. The credentials came from the vault. LastPass's official response was that law enforcement hadn't provided them conclusive evidence connecting the thefts to their incident.

The UK Information Commissioner's Office fined LastPass £1.6 million in November 2025. LastPass settled a class action lawsuit for $24.5 million in 2025 for losses users suffered as a direct result of that breach.

The vault is fine, until it isn't — and when it isn't, you'll find out four months later in a blog post describing weak encryption as "stronger than typical."

Good. That's the right question. Here's how to get out, as of June 2026. These steps reflect current workflows — if something looks different when you try it, each section links to the official documentation, which is the authoritative source.

Before you do anything else, check whether your destination has a direct import from LastPass — 1Password, Dashlane, and Bitwarden all do. Direct import connects straight to LastPass's servers without an unencrypted file ever touching your disk, which is meaningfully safer. Use it if you can. The CSV export path exists as a fallback, but there's no reason to put your entire password vault in a plain text file on your desktop if you don't have to.

If you do end up needing the CSV file — one universal warning: treat it like a live grenade. Import it, verify everything came across, then delete it immediately — empty your trash, and if you have a secure delete tool you trust, this is exactly what it's for. On traditional hard drives, tools like Microsoft SDelete (Windows, command line) or ASCOMP Secure Eraser (Windows, GUI, free for personal use) do what they say. On SSDs — which is most machines now — file-level overwrite tools are less reliable because the drive's wear leveling means the OS doesn't control exactly where data physically lands. On Mac, Apple removed the built-in secure delete command years ago and Disk Utility won't secure-erase individual files on SSDs. iShredder is a cross-platform option that's actively maintained. On Linux, shred -u -z filename.csv works well on HDDs. The real answer on SSDs is full-disk encryption — if FileVault (Mac), BitLocker (Windows), or LUKS (Linux) is already enabled, any recovered bits from a deleted file are unreadable without the key anyway. Which is also a decent reminder to check whether full-disk encryption is turned on while you're already in a security mindset. Get the file in, get it gone gone, and if your drive isn't encrypted yet — that's the next thing on the list.

In the browser extension: Account tab → Fix a problem yourself → Export vault items → Export data for use anywhere. Enter your master password. You'll get a CSV download or the data printed to screen — if the latter, copy it into a plain text file and save it as export.csv. In the web vault: Advanced Options → Export → verify via the email LastPass sends you (the link expires in 10 minutes) → re-initiate the export → download or copy the CSV.

One known quirk: special characters like &, <, and > sometimes get HTML-encoded in the export (&, <, >). Open the file in a plain text editor before importing and do a find-and-replace if you see them. A password containing & that imports as & will silently break every login that uses it. Note also that TOTP codes stored in LastPass Authenticator cannot be exported in the CSV — you'll need to re-enroll those manually in your new manager.

1Password has a direct import that connects to LastPass's servers without creating an unencrypted file on your machine — use this. Desktop app: File → Import → LastPass → enter your LastPass credentials → pick the 1Password vault to import into → done. Via web if you don't have the desktop app: sign in at 1password.com → your name (top right) → Import data → select LastPass → upload your CSV or paste the contents. Passkeys and TOTP codes won't come across, and attachments only transfer via the desktop direct import method, not via CSV.

Dashlane supports direct import — no CSV file touching your disk. In the Dashlane web app: Import data (top right, or Vault menu → Settings → Import data) → select LastPass → Directly from LastPass → Go to LastPass → log in → you'll be bounced back to Dashlane with your data ready to preview → Import items. If direct import fails, fall back to the CSV method: same Import data path, select LastPass or Other CSV, drag and drop your file. iOS and macOS apps don't support CSV import — use the web app or Android app for that fallback path.

Also has a direct import option that skips the local CSV entirely. Browser extension: Settings → Import Items → select LastPass as format → Import directly from LastPass → enter your LastPass credentials → import. Via web vault at vault.bitwarden.com: Tools → Import Data → select LastPass (csv) from the format dropdown → upload your CSV or paste the contents. TOTP codes don't transfer, attachments need to go manually.

Vaultwarden runs the Bitwarden server API, so the official Bitwarden clients are what you use — the import process is identical to Bitwarden cloud above, just pointed at your own server instead of theirs. TOTP codes don't transfer, attachments need to go manually, same as the cloud path. If self-hosting your password manager sounds interesting, I cover my own setup in Part 8 of my home server series. Your passwords live on your hardware, full stop.

And yes, I checked my own settings before publishing this — because it occurred to me mid-draft that calling a major company out for being lazy about encryption while not actually knowing what my own instance was set to would be a special kind of hypocritical. We've all had that moment, whether it's at school, at work, or at home — halfway through making a point and suddenly realizing you should probably verify you're not doing the exact same thing. The defaults are probably fine for self-hosting, certainly better than what LastPass had going on, but I'm running better than that now. Doesn't hurt anything.

Once everything is imported and you've verified it all looks right in your new manager, go back into LastPass and delete your vault contents before you close the account — don't just leave the data sitting there on their servers while the account goes dormant. If you're on a paid subscription, cancel that first and confirm it before you do anything else. Most services handle cancellation and account deletion together, but given what we've covered in this post, extending LastPass the benefit of the doubt on administrative competence feels like a stretch. Cancel, confirm, then delete. Account Settings → Delete Account in the LastPass web vault. Disable the browser extension and uninstall the app while you're at it, otherwise autofill conflicts will drive you crazy. A closed account with no data is a much better outcome than an abandoned one that's still a surface area waiting for breach number four. And if you used the CSV path — delete that file.

Were you a LastPass user in 2022 — have you actually rotated everything? Find me on Mastodon at @ppb1701@ppb.social.