Skip to main content

Is LastPass safe? Here’s what we know about its security history

LastPass website on a laptop.
Digital Trends

LastPass has been in the news quite a bit over the past decade. Following some data breaches and security incidents, you may be wondering if it’s now safe to use the well-known password manager — whether you’re a previous, current, or potential LastPass user.

Let’s take a look at LastPass’ current features and security measures along with the previous incidents.

What is LastPass?

LastPass main webpage.
Digital Trends

LastPass is a password management application available on the web, desktop, and mobile, as well as with browser extensions. It offers multifactor authentication, biometric login, autofill, a password generator, and dark web monitoring to go along with its basic password management features.

As for security, LastPass uses AES-256 data encryption, PBKDF2 hashing with SHA-256 salting, and a zero-knowledge model. LastPass also holds several security certifications including ISO 27001, TRUSTe, SOC3, and others.

Currently, LastPass has over 33 million users and an estimated annual revenue of $143.7 million.

This all sounds terrific, right? So, what’s the problem?

LastPass security incidents

Cyber Security shattered concept.
Madartzgraphics / Pixabay

There’s a reason people are asking if LastPass is safe to use. Security breaches, along with the theft of information over the years, are certainly cause for concern. To understand more about these incidents, let’s look at a brief timeline of what occurred.

2011: Security notification

LastPass found an irregularity in its network traffic along with one to match in one of its databases. Even though it didn’t find a specific breach, LastPass asked its users to change their master passwords for fear that some of its data may have been hacked.

2015: Security breach

LastPass notified its community that it “discovered and blocked suspicious activity” on its network. The notification stated that email addresses, password reminders, server per user salts, and authentication hashes were compromised. However, it didn’t find evidence that user vault data was stolen and stated that user accounts were not accessed.

2021: Third-party trackers and master passwords

A LastPass user discovered several third-party trackers in the Android mobile app. While similar password managers also contained these types of trackers, the point was made that LastPass had the most between it, 1Password, Bitwarden, and Dashlane.

“No sensitive personally identifiable user data or vault activity could be passed through these trackers. These trackers collect limited aggregated statistical data about how you use LastPass,which is used to help us improve and optimize the product,” said the statement provided to The Register by a LastPass representative.

Later in 2021, it was reported that LastPass users were notified via email that their master passwords were compromised and login attempts with those passwords were blocked. However, a LastPass representative stated that the company investigated these reports and “determined the activity is related to fairly common bot-related activity …”

2022: Data theft

Probably the most memorable security incident occurred when a hacker stole a copy of the LastPass customer database, along with password vaults and data including names, email and billing addresses, partial credit card numbers, and URLs. There was a mix of encrypted and unencrypted data involved.

The LastPass security incident report starts with the above August 2022 occurrence. It then with updates through the next few months, explaining its investigation into unusual activity in a shared third-party cloud storage service used to house backups along with other data.

Later in 2022, LastPass stated that data obtained in the original August incident was used to gain access to customer information, but that passwords remained encrypted.

The person or entity was able to obtain source code and technical information to later target a LastPass employee. They obtained credentials and keys in order to access and decrypt storage volumes within that cloud service. They then then copied information from a backup containing company names, usernames, email and billing addresses, phone numbers, and IP addresses.

In September 2023, a link was found between the 2022 data theft incident and more than $35 million in cryptocurrency being stolen from over 150 victims since the previous December.

Additional LastPass security measures

As mentioned earlier, LastPass uses the industry standard for encryption, PBKDF2 hashing with salting, and a zero-knowledge method for protecting your data.

It also undergoes routine audits and testing of its service and infrastructure, and provides users access to its security team for reporting possible weaknesses. LastPass also uses what’s called a Bug Bounty Program where white-hat hackers can submit bugs they find.

Should you use LastPass?

Locked and unlocked padlocks.
Methodshop / Pixabay

With the current security measures, a good feature set, and millions of users, it sounds reasonable to use LastPass as your go-to password manager — if you can look past the security incidents spanning over a decade.

But that’s really what it comes down to. Can you look past the incidents? Would you feel that your data is safe? How much trust are you willing to put in LastPass?

There are many companies out there with password management products that haven’t made headlines or had incidents like LastPass. And, it certainly seems like LastPass has a permanent target on its back from hackers and thieves. Hopefully, the company is taking the necessary measures to fix the problems, but right now, you’ll have to decide whether it’s worth the risk.

Editors' Recommendations

Topics
Sandy Writtenhouse
Sandy has been writing about technology since 2012. Her work has appeared on How-To Geek, Lifewire, MakeUseOf, iDownloadBlog…
Hackers stole LastPass source code in data breach incident
lastpass on phone

Today, LastPass confirmed a data breach in a blog post describing the incident to its customers that rely on the company's products for online security. The company emphasized that customer data was not stolen in the breach, however, and that users do not have to do anything to secure their data.

In a post written by CEO Karim Toubba, LastPass stated the following:

Read more
LastPass is scaling back its free tier. Find out if you need to pay
LastPass

LastPass currently offers a free tier that lets a single user access its password manager service on all their mobile devices and computers. But that’s about to change.

Starting March 16, the company will limit its free tier to only one device type, either mobile or computer. So if you select to keep the free tier for mobile, you’ll be asked to pay a fee to continue using the service on computers, and vice versa.

Read more
Leaving LastPass? Here’s how to take all your passwords with you
LastPass

If you, like many of us, have been happily using LastPass's excellent free tier for the last few years, you're probably dismayed that LastPass is moving to change the way its free access works. From March 16, you'll only be able to sync your LastPass database between mobile devices or computers -- but not both. So if you want to keep accessing the same passwords on your phone and laptop, you'll have to pay up and join LastPass's premium subscription for $3 a month.

Of course, not everyone is wild to pay a subscription fee -- or has the free cash to do so. If that's you, you're probably looking for a password manager to replace LastPass. But you won't want to leave all your collected passwords and logins behind. Thankfully, you can quickly and easily export your LastPass passwords and login information and import them into your new password manager of choice. So go check out our list of the best password managers, then dive into our guide on how to leave LastPass and take your passwords with you.
Export your LastPass database
Now that you know you're moving from LastPass, the first step is to make sure you take everything with you. Thankfully, exporting your database from LastPass is simple. Unfortunately, there's no way to export your passwords from the mobile app, so you'll have to use a PC or Mac to complete this action.

Read more