anonym.legal

By · Last updated 2026-03-16

Back to BlogTechnical

Evaluating ZK Claims After LastPass

$438M stolen from LastPass users after their 'encrypted' vaults were breached. A £1.2M ICO fine followed. Here's the checklist for evaluating whether a.

March 16, 20268 minute read
zero-knowledge evaluationvendor security assessmentLastPass breachcloud encryption claimsGDPR Article 32

The Gap Between Claim and Architecture

Updated for 2026

Every cloud vendor says the same thing: "We encrypt your data." That claim is almost always true. It is almost always not enough.

The LastPass breach of 2022 is the best example. LastPass encrypted user password vaults. They used real encryption. The claim was accurate. And yet 25 million users had their vaults stolen. By 2025, $438 million had been taken from LastPass users in crypto heists. Coinbase Institutional tracked this figure.

The UK Information Commissioner's Office fined LastPass's UK entity £1.2 million in December 2025. The reason: "failure to implement appropriate technical and organisational security measures." The encryption was real. But it did not meet the required standard.

The LastPass case changes the key question for any cloud privacy tool. Not "do they encrypt our data?" but: "can they decrypt our data?"

Four Questions That Actually Matter

Four questions reveal whether a vendor's zero-knowledge claim holds up.

1. Where does key derivation happen?

In true zero-knowledge design, key derivation happens on the client. This means in the browser or desktop app, before any data is sent. The key encrypts data locally. Only ciphertext reaches the vendor's servers.

If the vendor derives keys on their servers, they hold the keys. If they hold the keys, they can decrypt. The claim may be accurate — but it misleads.

2. Does the vendor ever see plaintext?

Some tools encrypt data at rest. But they decrypt it for processing. This can happen to run AI models, search indexes, or audit logs. During that window, plaintext is on the vendor's systems. An attack at that moment exposes unencrypted data.

3. What happens under legal process?

A vendor with server-side keys can be forced to hand over decrypted content. A vendor with true zero-knowledge can only produce ciphertext. They have nothing useful to hand over, even under a subpoena.

4. What does a full server compromise expose?

In a genuine zero-knowledge system, a full compromise yields only encrypted blobs. The attacker gets ciphertext with no keys. In a vendor-key system, an intrusion exposes both keys and data at once.

The LastPass Implementation Gap

The LastPass incident revealed one specific flaw. Older accounts used PBKDF2 with as few as 1 iteration for key derivation. The safe count is 600,000 iterations. That weak setting made brute-force attacks on stolen vaults feasible.

This shows why checking the design alone is not enough. A vendor can use a zero-knowledge design and still implement it poorly. Ask about both: where keys are derived, and how strong the algorithm is.

A Different Failure Mode: Okta

In October 2023, Okta disclosed a leak of 600,000+ customer support records. Okta is an identity platform. This was not a weak zero-knowledge design. It was a support system intrusion that held customer data.

The 300% SaaS attack surge in 2024 (AppOmni/CSA) reflects both failure types. Zero-knowledge design addresses the first type. It does not remove all risk. But it ensures a full system compromise exposes no decryptable customer data.

What a Real Evaluation Looks Like

Here is a practical checklist for procurement teams.

Architecture review:

  • Ask where key derivation occurs — on the client or on the vendor's server
  • Ask for the encryption algorithm, key length, and iteration count
  • Confirm plaintext is never sent to vendor servers

Compromise scenario test:

  • Ask what a full server compromise would expose
  • The only correct answer: "encrypted ciphertext we cannot decrypt"
  • Any other answer means the claim is not real zero-knowledge

Legal process review:

  • Ask whether the vendor can comply with a subpoena for customer plaintext
  • A real zero-knowledge vendor cannot produce what they do not have

Compliance check:

  • Request the vendor's GDPR Article 32 documentation
  • ISO 27001 — specifically Annex A cryptographic controls — gives external verification

The £1.2 million LastPass ICO fine shows regulators now check whether encryption claims meet a required standard. Procurement teams can apply the same test before an incident happens.

See our security and compliance overview for how anonym.legal handles zero-knowledge. The compliance documentation covers GDPR Article 32 in full. For common questions, see the zero-knowledge FAQ.

Sources

Related Articles

Technical

Cross-Platform PII: Mac, Linux, and Windows

Privacy officers on Mac, legal on Windows, data engineers on Linux — all processing the same data with different tools. Here's why OS-agnostic detection.

Technical

Cross-Application PII: Word, Chrome, and AI

Customer data flows from browser research to Word drafts to Claude prompts. Each context switch is a potential leakage point.

Technical

GDPR in App Logs: JSON PII Compliance

Application logs contain customer email addresses, IPs, and account numbers that GDPR Article 5(1)(e) requires be managed.

Ready to protect your data?

Start anonymizing PII with 285+ entity types across 48 languages.

Start Free TrialView Features

About this page

We update this page when our platform or the law changes.

Read our founder note for how we work.

Each change shows up in the timestamp at the top.

Related reading

We follow these rules

  • GDPR (EU 2016/679).
  • ISO/IEC 27001:2022.
  • NIS2 (EU 2022/2555).
  • HIPAA safe harbor under 45 CFR § 164.514(b)(2).

Our promise

We do not sell your data.

We do not train models on your text.

We store your files in Germany.

You can delete your account at any time.

You own your work.

Where we run

Our servers live in Falkenstein, Germany.

We use Hetzner. They hold ISO 27001 certification.

All data stays in the EU.

Backups run every day.

Need help?

Email support@anonym.legal.

We reply within one business day.

How we test

We run a full check suite on every release.

Each surface gets its own sweep script and report.

Human reviewers spot-check the output each week.

We track recall and precision on a labelled set.

Bad runs block the deploy.

What we never do

  • We never sell your information to third parties.
  • We never train models on what you upload.
  • We never keep your work after you delete it.
  • We never share keys with any outside firm.
  • We never run ads inside the product.

Plans in plain words

We sell credits, not seats.

One credit covers one short job.

Long jobs use a few credits each.

You can top up at any time.

Unused credits roll over each month.

Read the plans page for current rates.

Who built this

A small team of engineers and lawyers built this.

We ship from Europe and work in the open.

Our founder note spells out why we started.

Where to start

How the parts fit

A browser add-on cleans text inside Chrome.

A Word plug-in handles drafts in Office.

A small desktop tool works on whole folders.

An agent protocol link feeds large models safely.

All four share one core engine and one rule set.

Words from our team

We started this work after a lunch about cookies.

One friend kept getting odd ads on her phone.

We asked why a court file leaked through a draft.

We sketched the first build on a napkin that week.

By month three we had a tiny demo for a friend.

She used it on her first case the next day.

Common questions we hear

Can the tool read scanned PDFs? Yes, with OCR.

Does it work on long files? Yes, in small chunks.

Can I roll my own rule set? Yes, save it as a preset.

Does it run offline? The desktop build runs offline.

Do you keep my files? No, the cloud build wipes after each run.

Will it learn from my work? No, we never train on inputs.

A short tour of the workflow

Upload a file or paste a snippet of prose.

Pick the entities you want gone from the draft.

Choose a method: replace, mask, hash, encrypt, or redact.

Press run and watch the side panel show each hit.

Skim the result and tweak any rule that misfired.

Save the cleaned file or send it to a teammate.