When you discover that a security breach you believed to be resolved isn’t actually resolved, you feel a certain kind of dread. The majority of those who followed the LastPass incident in 2022 recall the headlines and the ambiguous corporate assurances, followed by nothing. Life went on. The next crisis overshadowed the story.
However, TRM Labs, a blockchain analysis company, revealed in late 2025 that Russian cybercriminals are still able to successfully crack cryptocurrency wallets using information taken in the initial hack. After four years. That is more of a slowly detonating device with no obvious countdown timer than a data breach.
| Category | Details |
|---|---|
| Company Name | LastPass |
| Incident Type | Cybersecurity Data Breach |
| Date of Breach | August – November 2022 |
| Data Stolen | Encrypted vault data + unencrypted user metadata |
| Settlement Amount | $24.5 Million |
| Court Certification | February 2025 (US Federal Court, Massachusetts) |
| Claim Deadline | July 2, 2026 |
| Minimum Payout | $25 statutory payment |
| Maximum Payout | $10,000 (extraordinary losses) |
| Crypto Loss Fund | $16.25 Million (up to $900,000 per claimant) |
| California Bonus | Additional $100 under state privacy law |
| Non-Cash Benefits | Dark web monitoring; 6-month free premium for free-tier users |
| Settlement Administrator | Epiq Global — contact: 1-877-748-1875 |
| Official Claim Site | lastpasssettlement.com |
| Legitimate Email Domain | LastPassSettlement@e.epiqnotice.com |
| Company Stance | Settled without admitting misconduct |
For this reason, the $24.5 million settlement that LastPass reached in the wake of a wave of consolidated class-action lawsuits in Massachusetts feels both noteworthy and oddly inadequate. The company’s decision to reach a settlement while acknowledging no wrongdoing is legally common, but it is still quietly upsetting to those who actually lost money.
According to a representative, they decided to stay away from “the ongoing distraction and uncertainty of protracted litigation.” a reasonable legal computation. The question of whether it feels like accountability is quite different.
The settlement is divided into two different financial pools. More common claims are handled by a $8.2 million fund, which begins with a statutory payment of $25 for each user who had a LastPass account prior to November 2022. California’s privacy law allows residents to add an additional $100. This is one of the few instances where more stringent state regulations genuinely benefit regular people. Up to $300 may be awarded to users who have documented “ordinary losses,” which include expenses for identity protection, credit monitoring, or even mental health services connected to the breach. Although documentation is required, the qualifying threshold isn’t extremely high.
The $16.25 million cryptocurrency fund is the larger pool. At this point, the situation becomes truly consequential. Users may be eligible for up to $900,000 in compensation if they can directly connect their cryptocurrency losses to the 2022 breach (TRM Labs has linked millions of stolen assets to this particular incident), with extraordinary loss claims up to $10,000 for identity theft, fraud, or comparable damages.
The exact number of legitimate cryptocurrency claims that will be submitted is still unknown, so the final award amounts are largely dependent on overall participation. Each individual share may decrease with the number of claimants.
In actuality, the procedure calls for a Unique ID and PIN that were sent in April 2025 settlement notification emails, or should have been sent. LastPassSettlement@e.epiqnotice.com is the source of those emails. It’s important to remember that whenever settlements like this go public, scam lookalike websites appear almost instantly, so it makes perfect sense to be cautious before clicking. Users who did not receive the email can contact the settlement administrator directly at 1-877-748-1875. The actual website is lastpasssettlement.com. The deadline for filing is July 2, 2026, which is a reasonable date.
In addition to the money, LastPass is providing non-cash compensation in the form of free six-month premium subscriptions for those who were on the free tier at the time of the breach and dark web monitoring for all impacted users. These are something, but they seem more like gestures than treatments. As this has been going on for almost three years, it’s difficult not to see a company balancing sincere regret with cautious legal containment, providing enough to settle legal disputes while proceeding with the least amount of structural disruption.
The ongoing nature of the harm is what sets this story apart from a typical corporate settlement. Once stolen, encrypted vault data is always accessible for brute-force attacks. No matter how many iterations LastPass added to their encryption, weak master passwords—the kind that many real people use—remain vulnerable. The settlement takes care of previous wrongs.
It is unable to stop the damage that is still occurring on a server somewhere, where attempts are being made covertly against a database that contains stolen vaults. It’s not just a question of whether to submit a claim before July for former users who have cryptocurrency holdings. The question is whether those wallets have already been compromised and the damage hasn’t yet been visible.
Disclaimer
Nothing published on Creative Learning Guild — including news articles, legal news, lawsuit summaries, settlement guides, legal analysis, financial commentary, expert opinion, educational content, or any other material — constitutes legal advice, financial advice, investment advice, or professional counsel of any kind. All content on this website is provided strictly for informational, educational, and news reporting purposes only. Consult your legal or financial advisor before taking any step.
