Geslar
Why I stopped using LastPass
The 2022 breach, 30 million stolen vaults, and a lesson about why cloud password managers are not immune.
What happened?
In August 2022, hackers breached LastPass's development environment. LastPass initially claimed that user data was not affected. They lied.
In December 2022, LastPass admitted the full truth: attackers had stolen complete backup copies of user vaults — encrypted, but with metadata in plain text. This includes:
In December 2022, LastPass admitted the full truth: attackers had stolen complete backup copies of user vaults — encrypted, but with metadata in plain text. This includes:
30M+
User vaults stolen in the attack
$150M+
Stolen cryptocurrency linked to the LastPass breach (Krebs on Security)
25,000
PBKDF2 iterations for older accounts (instead of the recommended 600,000)
∞
Time hackers have for offline brute force — the vaults are in their hands forever
Timeline of failures
August 2022
Hackers access LastPass's development environment through a compromised developer's computer. LastPass announces that users are safe.
November 2022
LastPass discovers "unusual activity" in cloud storage. The same access keys from the August attack were used by hackers to access backups.
December 2022
The full truth: complete vaults were stolen. URLs, usernames, notes — in plain text. Only passwords were encrypted.
2023-2026
Blockchain analysts link $150M+ in stolen cryptocurrency to the LastPass breach. Hackers are slowly cracking weaker vaults.
The fundamental problem with cloud password managers
The LastPass breach was not an "unfortunate incident" — it is a structural risk of every cloud password manager. Here's why:
Centralized target
30 million vaults in one place = 30 million reasons to attack. Hackers didn't target you personally — they targeted everyone at once.
Offline attack forever
Once an attacker has your encrypted vault, they can try to crack it for years. No lockouts, no rate limits. If your master password is weak — it's only a matter of time.
Metadata in plain text
The URLs of websites you log into were unencrypted. The attacker knows you use online banking, a crypto exchange, or a health portal — even without cracking the vault.
False sense of security
LastPass used only 25,000 PBKDF2 iterations for older accounts. Many users were never migrated to stronger protection — and they didn't even know it.
The local approach as a solution
Geslar was built on the belief that your data should stay on your device. Not on "our secure cloud", not on an "encrypted server" — on your computer, under your control.
No servers = no breaches
Geslar does not store data on servers. A hacker cannot steal what doesn't exist on the internet. Your vault is only on your device.
AES-256-GCM + PBKDF2 600K
Geslar uses the strongest encryption standard (GCM, not CBC) and 600,000 PBKDF2 iterations — 24 times more than old LastPass accounts.
Zero telemetry
Geslar collects no usage data whatsoever. No analytics, no tracking, no "anonymized" statistics. Complete digital peace.
No registration
No email, no account, no "recovery" data on a server. If no one knows you use Geslar — they can't even target you.
Lessons from the LastPass debacle
What the LastPass breach teaches us:
- "Encrypted in the cloud" does not mean "secure" — encryption is only as strong as your master password
- Companies minimize breaches — LastPass hid the full scope of the attack for months
- Metadata is also data — knowing which websites you use is valuable information for attackers
- Cloud = centralized target — one successful attack compromises millions of users
- Older accounts may have weaker protection than you think
If you're a LastPass user, consider switching to a local password manager. Your data is too important to entrust to someone else's server.
Switch to Geslar — your data stays only with you.