LastPass has been within the information fairly a bit over the previous decade. Following some knowledge breaches and safety incidents, chances are you’ll be questioning if it’s now secure to make use of the well-known password supervisor — whether or not you’re a earlier, present, or potential LastPass consumer.
Let’s check out LastPass’ present options and safety measures together with the earlier incidents.
What is LastPass?
LastPass is a password administration utility obtainable on the net, desktop, and cellular, in addition to with browser extensions. It gives multifactor authentication, biometric login, autofill, a password generator, and darkish internet monitoring to go together with its fundamental password management options.
As for safety, LastPass uses AES-256 data encryption, PBKDF2 hashing with SHA-256 salting, and a zero-knowledge mannequin. LastPass additionally holds a number of safety certifications together with ISO 27001, TRUSTe, SOC3, and others.
Currently, LastPass has over 33 million customers and an estimated annual revenue of $143.7 million.
This all sounds terrific, proper? So, what’s the issue?
LastPass safety incidents
There’s a motive persons are asking if LastPass is secure to make use of. Security breaches, together with the theft of knowledge through the years, are actually trigger for concern. To perceive extra about these incidents, let’s take a look at a quick timeline of what occurred.
2011: Security notification
LastPass discovered an irregularity in its community site visitors together with one to match in one in all its databases. Even although it didn’t discover a particular breach, LastPass asked its users to change their master passwords for concern that a few of its knowledge might have been hacked.
2015: Security breach
LastPass notified its community that it “discovered and blocked suspicious activity” on its community. The notification acknowledged that electronic mail addresses, password reminders, server per consumer salts, and authentication hashes had been compromised. However, it didn’t discover proof that consumer vault knowledge was stolen and acknowledged that consumer accounts weren’t accessed.
2021: Third-party trackers and grasp passwords
A LastPass consumer found a number of third-party trackers within the Android cellular app. While comparable password managers additionally contained most of these trackers, the purpose was made that LastPass had essentially the most between it, 1Password, Bitwarden, and Dashlane.
Thank you for reading this post, don't forget to subscribe!
“No sensitive personally identifiable user data or vault activity could be passed through these trackers. These trackers collect limited aggregated statistical data about how you use LastPass,which is used to help us improve and optimize the product,” stated the statement provided to The Register by a LastPass consultant.
Later in 2021, it was reported that LastPass customers had been notified by way of electronic mail that their grasp passwords had been compromised and login makes an attempt with these passwords had been blocked. However, a LastPass representative stated that the corporate investigated these stories and “determined the activity is related to fairly common bot-related activity …”
2022: Data theft
Probably essentially the most memorable safety incident occurred when a hacker stole a replica of the LastPass buyer database, together with password vaults and knowledge together with names, electronic mail and billing addresses, partial bank card numbers, and URLs. There was a mixture of encrypted and unencrypted knowledge concerned.
The LastPass security incident report begins with the above August 2022 incidence. It then with updates via the subsequent few months, explaining its investigation into uncommon exercise in a shared third-party cloud storage service used to deal with backups together with different knowledge.
Later in 2022, LastPass acknowledged that knowledge obtained within the authentic August incident was used to achieve entry to buyer data, however that passwords remained encrypted.
The particular person or entity was in a position to acquire supply code and technical data to later goal a LastPass worker. They obtained credentials and keys with the intention to entry and decrypt storage volumes inside that cloud service. They then then copied data from a backup containing firm names, usernames, electronic mail and billing addresses, telephone numbers, and IP addresses.
In September 2023, a link was found between the 2022 knowledge theft incident and greater than $35 million in cryptocurrency being stolen from over 150 victims for the reason that earlier December.
Additional LastPass safety measures
As talked about earlier, LastPass makes use of the trade commonplace for encryption, PBKDF2 hashing with salting, and a zero-knowledge methodology for safeguarding your knowledge.
It additionally undergoes routine audits and testing of its service and infrastructure, and supplies customers entry to its safety crew for reporting doable weaknesses. LastPass additionally makes use of what’s known as a Bug Bounty Program the place white-hat hackers can submit bugs they discover.
Should you employ LastPass?
With the present safety measures, characteristic set, and thousands and thousands of customers, it sounds affordable to use LastPass as your go-to password supervisor — if you happen to can look previous the safety incidents spanning over a decade.
But that’s actually what it comes all the way down to. Can you look previous the incidents? Would you really feel that your knowledge is secure? How a lot belief are you keen to place in LastPass?
There are many corporations on the market with password management products that haven’t made headlines or had incidents like LastPass. And, it actually looks as if LastPass has a everlasting goal on its again from hackers and thieves. Hopefully, the corporate is taking the required measures to repair the issues, however proper now, you’ll should determine whether or not it’s definitely worth the danger.