On 12 June 2015, LastPass — one of the world’s most widely used password managers with tens of millions of users — discovered that its network had been compromised and that user data had been accessed. LastPass disclosed the breach on 15 June 2015 in a blog post. Compromised data included email addresses, password reminder hints, per-user server salts, and authentication hashes. Encrypted user vaults were not compromised because they are only stored client-side. LastPass immediately required all users to verify their email addresses before accessing their accounts and prompted users to change their master passwords (particularly for those with weak passwords). LastPass stated that user passwords remained safely encrypted, and that its encryption/hashing measures were sufficient that the vast majority of users should not be at risk if they had strong master passwords. This 2015 breach was followed by more severe subsequent incidents: the August 2022 breach (developer laptop and source code theft) and the December 2022 breach (vault backups and decryption keys stolen through a compromised DevOps engineer’s personal computer). The 2015 incident was the first major public breach of a major password manager and significantly damaged user confidence in password management products generally, highlighting the extreme sensitivity of data held by password managers.