Skip to main content

Is LastPass safe? Here’s what we know about its security history

LastPass website on a laptop.
Digital Trends

LastPass has been in the news quite a bit over the past decade. Following some data breaches and security incidents, you may be wondering if it’s now safe to use the well-known password manager — whether you’re a previous, current, or potential LastPass user.

Let’s take a look at LastPass’ current features and security measures along with the previous incidents.

Recommended Videos

What is LastPass?

LastPass main webpage.
Digital Trends

LastPass is a password management application available on the web, desktop, and mobile, as well as with browser extensions. It offers multifactor authentication, biometric login, autofill, a password generator, and dark web monitoring to go along with its basic password management features.

As for security, LastPass uses AES-256 data encryption, PBKDF2 hashing with SHA-256 salting, and a zero-knowledge model. LastPass also holds several security certifications including ISO 27001, TRUSTe, SOC3, and others.

Currently, LastPass has over 33 million users and an estimated annual revenue of $143.7 million.

This all sounds terrific, right? So, what’s the problem?

LastPass security incidents

Cyber Security shattered concept.
Madartzgraphics / Pixabay

There’s a reason people are asking if LastPass is safe to use. Security breaches, along with the theft of information over the years, are certainly cause for concern. To understand more about these incidents, let’s look at a brief timeline of what occurred.

2011: Security notification

LastPass found an irregularity in its network traffic along with one to match in one of its databases. Even though it didn’t find a specific breach, LastPass asked its users to change their master passwords for fear that some of its data may have been hacked.

2015: Security breach

LastPass notified its community that it “discovered and blocked suspicious activity” on its network. The notification stated that email addresses, password reminders, server per user salts, and authentication hashes were compromised. However, it didn’t find evidence that user vault data was stolen and stated that user accounts were not accessed.

2021: Third-party trackers and master passwords

A LastPass user discovered several third-party trackers in the Android mobile app. While similar password managers also contained these types of trackers, the point was made that LastPass had the most between it, 1Password, Bitwarden, and Dashlane.

“No sensitive personally identifiable user data or vault activity could be passed through these trackers. These trackers collect limited aggregated statistical data about how you use LastPass,which is used to help us improve and optimize the product,” said the statement provided to The Register by a LastPass representative.

Later in 2021, it was reported that LastPass users were notified via email that their master passwords were compromised and login attempts with those passwords were blocked. However, a LastPass representative stated that the company investigated these reports and “determined the activity is related to fairly common bot-related activity …”

2022: Data theft

Probably the most memorable security incident occurred when a hacker stole a copy of the LastPass customer database, along with password vaults and data including names, email and billing addresses, partial credit card numbers, and URLs. There was a mix of encrypted and unencrypted data involved.

The LastPass security incident report starts with the above August 2022 occurrence. It then with updates through the next few months, explaining its investigation into unusual activity in a shared third-party cloud storage service used to house backups along with other data.

Later in 2022, LastPass stated that data obtained in the original August incident was used to gain access to customer information, but that passwords remained encrypted.

The person or entity was able to obtain source code and technical information to later target a LastPass employee. They obtained credentials and keys in order to access and decrypt storage volumes within that cloud service. They then then copied information from a backup containing company names, usernames, email and billing addresses, phone numbers, and IP addresses.

In September 2023, a link was found between the 2022 data theft incident and more than $35 million in cryptocurrency being stolen from over 150 victims since the previous December.

Additional LastPass security measures

As mentioned earlier, LastPass uses the industry standard for encryption, PBKDF2 hashing with salting, and a zero-knowledge method for protecting your data.

It also undergoes routine audits and testing of its service and infrastructure, and provides users access to its security team for reporting possible weaknesses. LastPass also uses what’s called a Bug Bounty Program where white-hat hackers can submit bugs they find.

Should you use LastPass?

Locked and unlocked padlocks.
Methodshop / Pixabay

With the current security measures, a good feature set, and millions of users, it sounds reasonable to use LastPass as your go-to password manager — if you can look past the security incidents spanning over a decade.

But that’s really what it comes down to. Can you look past the incidents? Would you feel that your data is safe? How much trust are you willing to put in LastPass?

There are many companies out there with password management products that haven’t made headlines or had incidents like LastPass. And, it certainly seems like LastPass has a permanent target on its back from hackers and thieves. Hopefully, the company is taking the necessary measures to fix the problems, but right now, you’ll have to decide whether it’s worth the risk.

Topics
Sandy Writtenhouse
Sandy has been writing about technology since 2012. Her work has appeared on How-To Geek, Lifewire, MakeUseOf, iDownloadBlog…
Using LastPass? You need to switch urgently, says security firm
A dark mystery hand typing on a laptop computer at night.

It’s a good idea to use one of the best password managers to keep your logins safe, but now a security company is warning that one of the most popular password managers in the world is not safe to use.

The extraordinary claim comes from Intego, a firm that specializes in Mac security. Intego made its assertion based on a series of security breaches LastPass has suffered in recent months, the way LastPass has responded to those incidents, and the underlying technology LastPass uses to protect customer accounts.

Read more
Hackers just stole LastPass data, but your passwords are safe
A physical lock placed on a keyboard to represent a locked keyboard.

The developers behind password management software LastPass have just shared some concerning news: Bad actors were recently able to access “elements of our customers’ information” in a recent security breach.

It’s the second time in just a couple of months that LastPass has suffered a security incident, and it appears the two events are directly linked. That’s because LastPass’s developers say that the unauthorized party was able to access customer data “using information obtained in the August 2022 incident.”

Read more
Hackers stole LastPass source code in data breach incident
lastpass on phone

Today, LastPass confirmed a data breach in a blog post describing the incident to its customers that rely on the company's products for online security. The company emphasized that customer data was not stolen in the breach, however, and that users do not have to do anything to secure their data.

In a post written by CEO Karim Toubba, LastPass stated the following:

Read more