product icon
Help! I think my LastPass account has been compromised!

Help! I think my LastPass account has been compromised!

    If you're concerned that your LastPass account may have been compromised but still have access to your account, please log in to LastPass immediately and follow the steps below.

    Attention: Currently, there are two different extension menu experiences, so instructions may differ depending on your navigational experience. The "new experience" applies to version 4.104.0 and newer for the LastPass browser extension, whereas the "previous experience" refers to version 4.103.0 and earlier.

    If you can still log in to your LastPass account...

    If you are able to log in to your LastPass account with your email address and master password, follow the steps below.

    Step #1: Log out of all other active sessions

    Immediately log out of all active LastPass sessions (except for the one you're actively in).

    1. In your web browser toolbar, click the inactive (grey or black) LastPass icon inactive LastPass icon.
    2. Enter your email address and master password, then click Log In.
    3. If prompted, complete steps for multifactor authentication (if it is enabled on your account).
    4. Click the LastPass icon active LastPass icon in your browser toolbar.
    5. Take the action that matches your navigational experience:
      • New experience – Select the Account tab, then go to Fix a problem yourself > Log out of LastPass everywhere.
      • Previous experience – Select Account Options OR < your username > at the bottom of the menu, then go to Advanced > Other Sessions.
    6. Select Kill all but current session to remove all other sessions.
    Results: You have ended all other active LastPass sessions (outside of your current active session).
    What to do next: For all sessions that you have ended, you will be prompted to log in to LastPass again to access your account from that device and/or web browser.

    Step #2: Change your master password

    Once you only have your active session running, it is recommended that you change your master password for your LastPass account.

    1. While logged in to LastPass, click the LastPass icon in your web browser toolbar.
    2. Select Open My Vault.
    3. Select Account Settings in the left navigation.
    4. In the Login Credentials section under master password, click Change Master Password.
    5. In the new web browser page or tab that opens, enter your current master password, then create a new master password. Enter a password hint (recommended – this is a clue that is sent in a reminder email to help you remember your master password if it is ever forgotten).
    6. When finished, click Save Master Password.

      Result: You are logged out of LastPass.

    7. Log back in to LastPass with your updated master password.

    Step #3: Update your LastPass account email addresses

    If your email address has also been compromised, it is recommended that you update your LastPass account email address using a different email address, as well as your security email address (if you had set one up prior to being compromised).

    Step #4: Review your account history

    Check your account history for suspicious login activity.

    1. Log in to LastPass and access your vault by doing either of the following:
      • In your web browser toolbar, click the LastPass icon active LastPass icon and select Vault or Open My Vault.
      • Go to https://lastpass.com/?ac=1 and log in with your email address and master password.
    2. If prompted, complete steps for multifactor authentication (if it is enabled for your account).
    3. Go to Advanced Options > View account history.
    Results: Your account history is displayed – make note of any suspicious activity.
    Attention:

    Tracking login and Form Fill history is enabled for all LastPass accounts by default.

    What to do next: If desired, learn more about account history.

    Step #5: Restrict your account to only trusted devices

    Remove any unknown, untrusted, stolen, or previous devices.

    1. Log in to LastPass and access your vault by doing either of the following:
      • In your web browser toolbar, click the LastPass icon active LastPass icon and select Vault or Open My Vault.
      • Go to https://lastpass.com/?ac=1 and log in with your email address and master password.
    2. If prompted, complete steps for multifactor authentication (if it is enabled for your account).
    3. Select Account Settings in the left navigation.
    4. Select the Mobile Devices tab.
    5. Remove any device you do not recognize or trust.
    What to do next: If desired, learn more about managing trusted devices.

    Step #6: Restrict your account to only trusted locations

    If you know that you only access LastPass from one or more specific countries, you can update your login settings to restrict access to LastPass from only those allowed countries.

    1. While logged in to LastPass, click the LastPass icon in your web browser toolbar.
    2. Select Open My Vault.
    3. Select Account Settings in the left navigation.
    4. Click Show Advanced Settings at the bottom.
    5. In the "Security" section for Country Restriction, enable the Only allow login from selected countries setting, then check the boxes of all countries from which you want to approve LastPass access.
    6. Click Update when finished.
    Results: You have enabled access to LastPass only form specific countries.

    If you have lost access to your LastPass account...

    If you are no longer able to log in to your LastPass account, review the options below.

    Revert your master password

    Navigate to https://lastpass.com/revert, enter your email address, then click Send Email. Follow these instructions for reverting your master password.

    Delete your LastPass account (very last resort)

    If you are unable to revert your master password, it is recommended that you delete your LastPass account.

    It is highly recommended that you begin changing your passwords for sensitive accounts (e.g., banking, email, social media, etc.) by generating secure passwords.

    The following are best practices to protect yourself from compromising attacks in the future: