$24.45M LastPass Data Breach Settlement,LastPass Left Your Vault Exposed in 2022, Here’s How to Claim Up to $900,000 Before July 2

LastPass US LP agreed to pay up to $24,450,000 to resolve a class action lawsuit arising from a data security incident that occurred between August and November 2022. If you received an email notice from LastPass about that breach or about this settlement, you have until July 2, 2026 to file a claim. Depending on what you lost — whether that’s time, out-of-pocket expenses, or cryptocurrency drained from a compromised wallet — your payout could range from $25 to $900,000.

Field	Detail
Settlement Amount	Up to $24,450,000
Claim Deadline	July 2, 2026
Who Qualifies	U.S. LastPass account holders whose data was exposed in the Aug.–Nov. 2022 breach
Payout Per Person	$25 statutory payment; up to $300 ordinary losses; up to $10,000 extraordinary losses; up to $900,000 crypto losses
Proof Required	Yes — varies by claim type
Settlement Status	Open for Claims (Preliminarily Approved Feb. 2, 2026)
Administrator	Epiq Global
Official Website	lastpasssettlement.com

Where things stand right now:

• The settlement received preliminary approval from the court on February 2, 2026, and claims are now open.
• The opt-out deadline is June 2, 2026 and the claim filing deadline is July 2, 2026.
• The court will hold a final approval hearing on July 14, 2026.

How Hackers Got Into LastPass Vaults — And Why It Took Months to Understand the Damage

The lawsuit alleged that LastPass failed to adequately protect user data, leading to the exposure of both encrypted and unencrypted backup storage data. What made this breach especially serious is how the attack unfolded in two separate waves.

In August 2022, hackers breached a LastPass developer’s credentials and accessed source code and internal data. LastPass initially told users the breach was contained. Then, in November 2022, attackers used information from that first intrusion to access a third-party cloud storage service where LastPass stored customers’ encrypted vault backups — including usernames, passwords, secure notes, and form-filled data.

The password-security services provider would create an $8.2 million settlement fund to compensate class members for their losses arising from the breach, with a separate fund of about $16.3 million set aside to compensate users for cryptocurrency losses. Plaintiffs argued that hackers could use the stolen encrypted vaults to attempt offline password-cracking, eventually gaining access to anything stored inside — including private cryptocurrency wallet keys. LastPass denied any wrongdoing but agreed to settle to avoid the cost and risk of further litigation.

LastPass Users Who Qualify for a Settlement Payout

To be eligible for benefits from this settlement, individuals or entities must have received an email notice from LastPass about the 2022 data security incident or about this settlement, had a LastPass account that was allegedly compromised, extracted, copied, stolen, or otherwise exposed during the August–November 2022 incident, and the account must have contained data at the time of the incident.

You likely qualify if:

• You held a Consumer Free, Consumer Premium, Consumer Family, or Business LastPass account in 2022
• Your account contained stored vault data at the time of the breach
• You received an email notice from LastPass about the 2022 incident or about this settlement
• You reside in the United States, or your organization is registered to do business in the U.S.
• California residents qualify for an additional $100 CCPA payout on top of other benefits

If you received a notice but can’t locate your Unique ID and PIN, call Epiq Global at 1-877-748-1875 or email [email protected] before filing.

Related article: Bank of America Agrees to Pay $72.5 Million Over Its Role in Epstein’s Sex-Trafficking Operation 

The Four LastPass Payout Tiers — Which One Applies to You

This settlement has more payout options than most data breach cases because the breach caused very different types of harm to different people. Here is exactly what each tier covers:

$25 statutory payment — no documented losses needed. Eligible Consumer Premium, Consumer Family, or Business Account holders with vault content can receive a $25 statutory payment. This requires no proof of actual harm — just an eligible account with stored data. Note: actual payment may shift up or down depending on how many people file.

Up to $300 for ordinary out-of-pocket losses. Claimants can receive up to $300 reimbursement per claimant for documented ordinary losses fairly traceable to the incident, covering costs related to credit monitoring, identity protection and restoration, dark web monitoring, and other security services. You must submit receipts, bank statements, or other third-party documentation.

Up to $10,000 for extraordinary losses. Class members who submit documented proof of extraordinary losses caused by the incident are eligible to receive a one-time cash payment of up to $10,000. Extraordinary losses include verified cases of identity theft, significant fraud, and similar severe financial harm directly traceable to the breach.

Up to $900,000 for cryptocurrency losses. This is the most significant and most complex tier. Validated cryptocurrency losses allegedly caused by the incident can be reimbursed up to $900,000 per claimant, subject to a $16.25 million aggregate cap across all crypto claims. Crypto claims go through additional screening managed by a court-appointed Special Master and are divided into two tiers:

• Tier 1: Your compromised wallet private keys or seed phrases are confirmed as having been stored in your LastPass vault backup
• Tier 2: You cannot recall your master password to open the vault backup, requiring additional forms of proof that your wallet credentials were stored in LastPass

Tier 1 claimants will have their claims processed by the Special Master until all claims are finalized. Tier 2 claimants will be processed only after all Tier 1 claims are complete.

Free non-cash benefits for all users. LastPass will provide dark web monitoring services for all LastPass users automatically. Consumer Free Account users at the time of the incident can also claim a complimentary 6-month upgrade to a Consumer Premium Account.

How to File Your LastPass Settlement Claim Before July 2, 2026

Claims can be filed online using the online claim form or by mailing a completed PDF claim form. Claims must be submitted online or postmarked by July 2, 2026.

1. Locate your Unique ID and PIN from the email notice LastPass sent you — you cannot file online without these. If you lost them, call 1-877-748-1875
2. Gather your supporting documents — receipts, bank statements, credit card statements, or crypto wallet records depending on which claim tier applies
3. Visit lastpasssettlement.com and log in using your Unique ID and PIN
4. Select your benefit type — statutory payment, ordinary losses, extraordinary losses, or cryptocurrency losses (you may combine eligible claims)
5. Upload documentation for any loss-based claim; California residents attest to residency for the CCPA $100 payment
6. Choose your payment method — physical check or electronic payment
7. Submit and save your confirmation number

To file by mail, download the PDF claim form at lastpasssettlement.com and postmark it by July 2, 2026 to: LastPass Data Security Incident Litigation Settlement Administrator, P.O. Box 2230, Portland, OR 97208-2230.

Estimated time to complete: 15–30 minutes (longer for crypto claims requiring documentation).

When LastPass Settlement Money Actually Hits Your Account

The two funds pay out on very different timelines — this matters if you’re filing a crypto claim.

Regular cash settlement fund payments will be made, at the earliest, in September or October 2026. Crypto Pool payments will be made, at the earliest, around March 2027.

Milestone	Date
LastPass Breach Begins	August 2022
Vault Backup Data Stolen	November 2022
Class Action Lawsuit Filed	December 2022
Preliminary Settlement Approval	February 2, 2026
Claims Period Opens	March 2026
LastPass Opt-Out Deadline	June 2, 2026
Claim Filing Deadline	July 2, 2026
Final Approval Hearing	July 14, 2026
Expected Cash Payment Date	September–October 2026
Expected Crypto Payment Date	~March 2027

Frequently Asked Questions

Do I need a lawyer to file a LastPass settlement claim? 

No. Standard claims — the $25 payment, ordinary losses up to $300, and extraordinary losses up to $10,000 — are straightforward and take 15–30 minutes at lastpasssettlement.com. Cryptocurrency loss claims are more complex and involve a Special Master review process, but you still do not need to hire a personal attorney to submit one.

Is the LastPass settlement website legitimate?

 Yes. The only authorized claim site is lastpasssettlement.com, administered by Epiq Global under supervision of the U.S. District Court for the District of Massachusetts (Case No. 1:22-cv-12047-PBS). Do not submit your Unique ID, PIN, or personal information to any other website claiming to manage this settlement.

When will LastPass settlement payments go out?

 Regular cash payments are expected in September or October 2026. Crypto Pool payments have a slower timeline, expected around March 2027, due to the additional Special Master review process required for cryptocurrency loss claims.

What if I missed the LastPass claim deadline? 

The deadline to file is July 2, 2026. Missing it means you will not receive a cash payout. The opt-out deadline is June 2, 2026 — if you miss that, you remain in the class and give up the right to sue LastPass separately over the 2022 breach.

Will my LastPass settlement payment be taxable? 

Possibly. Cash payments from data breach settlements may be treated as taxable income. The free dark web monitoring and Premium account upgrade are generally not taxable. Speak with a tax professional for advice on your specific situation.

I lost cryptocurrency — how does the LastPass crypto claim process work?

 Cryptocurrency loss claims are subject to additional screening. Tier 1 claimants — those whose compromised wallet private keys or seed phrases are confirmed as stored in their vault backup — are processed first. Tier 2 claimants, who cannot recall their master password, must provide additional evidence that wallet credentials were stored in LastPass and where within the vault they were stored. Both tiers are processed by a court-appointed Special Master.

My LastPass account had no password data stored — do I still qualify?

 No. Eligible accounts must have actively contained data at the time of the incident. Accounts that existed but had no stored vault content do not qualify for cash benefits. You may still receive free dark web monitoring automatically.

I live in California — is there an extra payment for me? 

Yes. Class members who resided in California at the time of the LastPass data breach may receive an additional $100 statutory cash payout due to state-specific provisions under the California Consumer Privacy Act, on top of whatever other benefit tier you qualify for.

Sources & References

• Official settlement website: lastpasssettlement.com
• Settlement agreement: lastpasssettlement.com/Settlement-Agreement.pdf
• Long-form notice: lastpasssettlement.com/Notice.pdf

Last Updated: March 28, 2026

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney.