Quick Summary
| Detail | Info |
|---|---|
| Settlement fund | $24.45 million |
| Claim deadline | July 2, 2026 |
| Opt-out deadline | June 2, 2026 |
| Max payout (standard) | $10,000 |
| Max payout (crypto) | $900,000 |
| Official site | LastPassSettlement.com |
| Administrator phone | 1-877-748-1875 |
Table of Contents
Hackers stole the contents of millions of LastPass vaults in 2022, and the company just agreed to pay $24.45 million to settle the class action lawsuit that followed. If you had a LastPass account before November 2022, you are likely eligible to claim a portion of that fund, and you have until July 2, 2026 to do it.
This is not small print. Depending on what you lost, individual payouts range from $25 up to $900,000 for documented cryptocurrency losses. Most people will qualify for somewhere between those figures, and filing takes 15 to 30 minutes for standard claims.
What LastPass Lost in 2022
Between August and November 2022, attackers made two separate incursions into LastPass systems. The first compromised source code and technical information. The second used that access to break into LastPass's cloud storage and steal backup copies of customer vault data.
The attackers walked away with encrypted copies of every password stored in LastPass at the time, along with unencrypted metadata including website URLs, usernames, and account names. Encrypted vault contents required a master password to crack. The unencrypted metadata was immediately readable by anyone who had it.
For users who stored cryptocurrency wallet private keys or seed phrases in their vaults, the consequences went further. Blockchain analysts documented a pattern of crypto thefts linked directly to compromised LastPass data, with individual losses ranging from thousands to millions of dollars. The $4.4 million figure cited in most coverage is a floor, not a ceiling.
LastPass maintained throughout that encrypted vaults remained secure as long as users had strong master passwords. What the company did not communicate clearly enough is that a meaningful portion of their user base did not have strong master passwords, and that the unencrypted metadata was already operationally useful to attackers regardless of encryption strength.
Who Qualifies
The settlement covers any United States resident whose LastPass account was active and contained data at the time of the 2022 breach. If LastPass sent you an email about the incident or about this settlement, you are included as a Settlement Class Member.
The practical test: did you have a LastPass account before November 2022 with any data stored in it? If yes, you are almost certainly in the class.
What You Can Claim by Account Type
The settlement has multiple tiers, and you can combine eligible claims where they apply. The table below clarifies what each account type qualifies for, since this distinction matters for the $25 statutory payment that many articles gloss over.
| Account type at time of breach | Eligible benefits |
|---|---|
| Free account | 6-month Premium upgrade, dark web monitoring |
| Premium / Family / Business | $25 statutory payment, ordinary losses, extraordinary losses, dark web monitoring |
| California residents (any tier) | Additional $100 CCPA statutory damages |
| Crypto wallet stored in vault | Crypto pool claim up to $900,000 |
Free account users do not qualify for the $25 statutory cash payment. That tier is reserved for paid account holders. Free users receive the six-month Premium upgrade and dark web monitoring instead.
Statutory payment ($25): Available to Premium, Family, or Business account holders. This is the base payment for being affected, with minimal documentation required. Electing this option means you cannot also file for ordinary or extraordinary losses, so consider your situation before choosing.
CCPA damages ($100 additional): California residents can claim an extra $100 under state privacy law by attesting to residency and confirming what types of data were stored in their vault.
Ordinary losses (up to $300): If you spent money on credit monitoring, identity protection, dark web monitoring, or similar services after the breach, you can claim reimbursement up to $300. Receipts or bank and credit card statements showing the expenses are required.
Extraordinary losses (up to $10,000): If the breach led to documented identity theft, fraud, or similar financial losses, you can claim up to $10,000 with third-party documentation of the loss and its connection to the breach.
Cryptocurrency losses (up to $900,000): If you stored wallet private keys or seed phrases in LastPass and suffered crypto theft as a result, you may qualify for the crypto pool fund. The court appointed a Special Master to oversee the complex valuation process for this pool, given the difficulty of establishing loss amounts across different asset types and time periods. Tier 1 claims, where LastPass can confirm your keys were in the backup, are processed first. Tier 2 claims require additional evidence. The aggregate pool is $16.25 million. If total documented losses across all valid crypto claims exceed this amount, individual payouts are reduced proportionally, so a $900,000 claim may settle for less depending on overall participation.
How to File Before July 2
Standard claims take 15 to 30 minutes. Crypto claims take longer due to the documentation review process managed by the Special Master.
Step 1: Locate your Unique ID and PIN. LastPass sent settlement notices by email containing a unique identifier and PIN specific to your account. You cannot file online without these. If you cannot find the email, call the Settlement Administrator at 1-877-748-1875. Do not search for an alternative way to obtain these credentials online, since phishing sites have been created specifically to intercept settlement filers. The Settlement Administrator will never ask for your LastPass master password under any circumstances. If any site or caller requests it, treat that as a scam. If you have already entered your master password into a suspicious site, change it immediately on the official LastPass website and enable multi-factor authentication on all sensitive accounts.
Step 2: Gather documentation. For ordinary losses, pull together receipts, bank statements, or credit card statements showing breach-related expenses. For extraordinary losses, you need third-party documentation of the fraud or identity theft and its connection to LastPass. For crypto claims, gather wallet records and any documentation that places your private keys inside your LastPass vault at the time of the incident.
Step 3: File at LastPassSettlement.com. Log in using your Unique ID and PIN, select your benefit tier, and upload supporting documentation where required. California residents should complete the CCPA attestation as part of the filing. All crypto claims must be submitted online.
Step 4: Keep your confirmation. Save the confirmation code or mailing receipt as proof of submission.
To file by mail instead, download the PDF claim form from LastPassSettlement.com and postmark it by July 2, 2026 to: LastPass Data Security Incident Litigation Settlement Administrator, P.O. Box 2230, Portland, OR 97208-2230.
Is LastPassSettlement.com Legitimate?
Yes. The court appointed Epiq Systems as the official settlement administrator, and LastPassSettlement.com is the court-authorized claim site. Legitimate settlement emails come from the domain @epiqglobal.com and contain your unique ID and PIN.
Given how frequently phishing campaigns target settlement filers, take two precautions before you start: type the URL directly into your browser rather than clicking a link from any email, and verify the domain is exactly LastPassSettlement.com before entering any information. Lookalike domains with slight misspellings have been used in similar campaigns to harvest login data from people who are already worried about their security.
If you receive a phone call claiming to be from the settlement administrator asking for financial information, hang up. The administrator does not call claimants to solicit payment details.
Payout Timeline
| Milestone | Date |
|---|---|
| Opt-out / objection deadline | June 2, 2026 |
| Claim filing deadline | July 2, 2026 |
| Final approval hearing | July 14, 2026 |
| Earliest regular cash payouts | September / October 2026 |
| Earliest crypto pool payouts | March 2027 |
These timelines assume the settlement receives final approval at the July 14 hearing without significant objections. If the approval is appealed, payouts can be delayed by months or longer. Class action appeals are not common, but they happen, and the timeline shifts when they do. If you file and do not receive payment by late 2026, that does not necessarily mean your claim was rejected.
What This Should Change Going Forward
A $24.45 million settlement sounds large until you consider that the breach affected millions of accounts and the documented crypto losses from a subset of victims alone exceeded $4.4 million. For people who lost retirement savings or business funds stored in crypto wallets, no settlement amount covers what happened.
If you are filing this claim, you are likely looking for a more secure alternative to LastPass. That is a reasonable response. Not all password managers are built the same way, and the LastPass architecture, specifically the way vault backups were stored with unencrypted metadata accessible in the cloud, was a design decision that amplified the damage when the breach occurred.
For people making that switch, I recommend NordPass. It uses XChaCha20 encryption, supports passkeys, and operates on a zero-knowledge architecture that keeps vault contents inaccessible even to NordPass employees. The paid plans cost less than a single credit monitoring subscription, and there is a free tier to try before committing. See NordPass plans here.
One additional step worth taking before you close this tab: check every account where you reused a password that was stored in your LastPass vault. If the same password appears anywhere else, that account is at risk regardless of whether your master password was strong. Use SafePasswordGenerator.net to generate unique replacements for each one.
FAQ
Do I need a lawyer to file a LastPass settlement claim?
No, you do not need a lawyer to file a LastPass settlement claim. The process is designed for self-filing, and the settlement site guides you through each step. Crypto claims are more complex due to the Special Master review process, but they still do not require personal legal representation to submit.
Is LastPassSettlement.com a legitimate site?
Yes, LastPassSettlement.com is the court-authorized claim site, administered by Epiq Systems under court appointment. Type the URL directly into your browser rather than clicking from any email to ensure you land on the real site.
Can I still claim if I have already closed my LastPass account?
Yes, you can still file a claim even if you have closed your LastPass account. Eligibility is based on your account status at the time of the 2022 breach, not your current subscription status.
What should I do if I lost my LastPass settlement email?
Call 1-877-748-1875 to request your Unique ID and PIN directly from the Settlement Administrator. Do not attempt to retrieve these credentials through any other site or service.
What happens if I do nothing and skip filing?
If you do nothing, you will automatically receive dark web monitoring services as a class member, but you will not receive any cash payout. You will also give up the right to pursue separate legal action against LastPass over the 2022 breach.
Could the LastPass settlement payout timeline be delayed?
Yes, the timeline could be delayed if the July 14 court approval is appealed. The September/October 2026 timeline for regular claims and March 2027 for crypto claims both assume the settlement receives final approval without an appeal. Class action appeals are not the norm, but they do occur and push all payment dates back when they do.
What if my crypto losses were higher than $900,000?
The individual cap is $900,000, but the total crypto pool is $16.25 million. If total documented losses across all valid claims exceed the pool, individual payouts are reduced proportionally. A $900,000 claim may settle for less depending on how many victims file and how losses are valued by the Special Master.
By T.O. Mercer. Published on SafePasswordGenerator.net. This article contains affiliate links. See disclosure at the top of the page.