Is LastPass safe? Here’s what we know about its security history
Wondering if you should use LastPass to keep your passwords secure? Let’s look at its current security measures and previous incidents so you can decide.
LastPass has been in the news quite a bit over the past decade. Following some data breaches and security incidents, you may be wondering if it’s now safe to use the well-known password manager — whether you’re a previous, current, or potential LastPass user.
Let’s take a look at LastPass’ current features and security measures along with the previous incidents.
What is LastPass?
Digital TrendsLastPass is a password management application available on the web, desktop, and mobile, as well as with browser extensions. It offers multifactor authentication, biometric login, autofill, a password generator, and dark web monitoring to go along with its basic password management features.
As for security, LastPass uses AES-256 data encryption, PBKDF2 hashing with SHA-256 salting, and a zero-knowledge model. LastPass also holds several security certifications including ISO 27001, TRUSTe, SOC3, and others.
Currently, LastPass has over 33 million users and an estimated annual revenue of $143.7 million.
This all sounds terrific, right? So, what’s the problem?
LastPass security incidents
Madartzgraphics / PixabayThere’s a reason people are asking if LastPass is safe to use. Security breaches, along with the theft of information over the years, are certainly cause for concern. To understand more about these incidents, let’s look at a brief timeline of what occurred.
2011: Security notification
LastPass found an irregularity in its network traffic along with one to match in one of its databases. Even though it didn’t find a specific breach, LastPass asked its users to change their master passwords for fear that some of its data may have been hacked.
2015: Security breach
LastPass notified its community that it “discovered and blocked suspicious activity” on its network. The notification stated that email addresses, password reminders, server per user salts, and authentication hashes were compromised. However, it didn’t find evidence that user vault data was stolen and stated that user accounts were not accessed.
2021: Third-party trackers and master passwords
A LastPass user discovered several third-party trackers in the Android mobile app. While similar password managers also contained these types of trackers, the point was made that LastPass had the most between it, 1Password, Bitwarden, and Dashlane.
“No sensitive personally identifiable user data or vault activity could be passed through these trackers. These trackers collect limited aggregated statistical data about how you use LastPass,which is used to help us improve and optimize the product,” said the statement provided to The Register by a LastPass representative.
Later in 2021, it was reported that LastPass users were notified via email that their master passwords were compromised and login attempts with those passwords were blocked. However, a LastPass representative stated that the company investigated these reports and “determined the activity is related to fairly common bot-related activity …”
2022: Data theft
Probably the most memorable security incident occurred when a hacker stole a copy of the LastPass customer database, along with password vaults and data including names, email and billing addresses, partial credit card numbers, and URLs. There was a mix of encrypted and unencrypted data involved.
The LastPass security incident report starts with the above August 2022 occurrence. It then with updates through the next few months, explaining its investigation into unusual activity in a shared third-party cloud storage service used to house backups along with other data.
Later in 2022, LastPass stated that data obtained in the original August incident was used to gain access to customer information, but that passwords remained encrypted.
The person or entity was able to obtain source code and technical information to later target a LastPass employee. They obtained credentials and keys in order to access and decrypt storage volumes within that cloud service. They then then copied information from a backup containing company names, usernames, email and billing addresses, phone numbers, and IP addresses.
In September 2023, a link was found between the 2022 data theft incident and more than $35 million in cryptocurrency being stolen from over 150 victims since the previous December.
Additional LastPass security measures
As mentioned earlier, LastPass uses the industry standard for encryption, PBKDF2 hashing with salting, and a zero-knowledge method for protecting your data.
It also undergoes routine audits and testing of its service and infrastructure, and provides users access to its security team for reporting possible weaknesses. LastPass also uses what’s called a Bug Bounty Program where white-hat hackers can submit bugs they find.
Should you use LastPass?
Methodshop / PixabayWith the current security measures, a good feature set, and millions of users, it sounds reasonable to use LastPass as your go-to password manager — if you can look past the security incidents spanning over a decade.
But that’s really what it comes down to. Can you look past the incidents? Would you feel that your data is safe? How much trust are you willing to put in LastPass?
There are many companies out there with password management products that haven’t made headlines or had incidents like LastPass. And, it certainly seems like LastPass has a permanent target on its back from hackers and thieves. Hopefully, the company is taking the necessary measures to fix the problems, but right now, you’ll have to decide whether it’s worth the risk.