Khaberni - Password managers are among the safest and most effective tools for protecting digital accounts, as they rid the user of the clutter of writing down passwords on sticky notes or storing them in insecure files.
But what happens when these tools themselves are subjected to a security breach? And can trust be restored in them once again?
This is the question facing millions of "LastPass" users today, after one of the most serious breach incidents in the company's history affected personal data of individual users and companies, reopening the debate on the security of password managers.
A breach that shakes trust
"LastPass" was subjected to a security breach that affected data from approximately 20 million individual users and 100,000 businesses.
The leaked data included names, email addresses, phone numbers, and stored website links, according to a report published by "slashgear" and reviewed by "Al Arabiya Business".
Although a cryptic model known as "Zero Knowledge" prevented the decryption of the passwords themselves, the incident was considered a serious alarm for anyone relying on "LastPass" or considering its use, and even a reason for some users to move their data to other alternatives.
Limited fine and widespread criticism
The UK Information Commissioner's Office imposed a fine on "LastPass" of £1.2 million (about $1.6 million), which was described as modest compared to the extent of the damage, as it amounted to less than one dollar per affected user in the UK alone.
Two incidents, not one
What's more alarming is that the breach was not one incident but a series of security failures.
In the first incident, an attacker managed to access a particular employee of "LastPass"’s work computer and entered the company’s internal development environment, without leaking user data at that time.
However, the situation changed in the second incident when the attacker targeted a high-level employee through a known vulnerability in an external streaming service.
The attacker used malicious software to steal the password, bypass two-factor authentication, and then access the backup database.
A systematic flaw, not a mere accident
Information security experts confirmed that what happened was not the result of a single catastrophic error, but an accumulation of security vulnerabilities that ultimately allowed access to sensitive data.
This presents "LastPass" with a larger challenge, as addressing the systematic flaw requires a comprehensive restructuring of the security infrastructure, not just quick updates.
And although the incident dates back to 2022, the fines were only imposed in December 2025, which raises questions about the extent of security improvements actually made during that period.
Is "LastPass" still a safe option?
Although the passwords themselves were not decrypted, the incident has re-raised a fundamental question: Is encryption alone sufficient to build trust? For many users, the answer has become more complicated, and it may prompt them to think twice before entrusting their digital life keys to any service, regardless of its reputation.
