If you’re shopping for a password manager, one prominent product is LastPass. The company has had a turbulent history, however, which may lead you to wonder, is LastPass safe?
Based on its poor track record of security problems, the short answer is that no, LastPass is not safe, and you should probably avoid it. If you already have it installed, the safest option is to delete LastPass(new window) and to export and then delete any data the company holds so it’s no longer at risk.
We don’t often advise so strongly against other online services, and while no system is 100% secure, the persistent security issues at LastPass should raise alarm bells for anyone considering storing their most sensitive data there. Let’s look at why we’ve made this recommendation.
How safe is LastPass?
There is an abundance of evidence and research that shows LastPass is not safe to use. The company has dropped the ball on several occasions, leading to some of the biggest breaches in web history.
Many of these issues appear to stem from the company’s inability to learn from its mistakes, neglecting to implement much-needed security measures that are usually standard in any password manager, including ours, Proton Pass.
A timeline of LastPass security incidents
LastPass was founded in 2008 and has had some kind of security scandal in most years since 2011. Though not each of these incidents was a full-blown data breach, a picture quickly emerges of a company that does not appear to take security particularly seriously, making disaster inevitable. Let’s go over all major incidents LastPass has experienced in its short existence.
2011: A small, limited breach
The first breach LastPass experienced was a small, limited breach in May 2011 in which the account details of LastPass users — maybe as few as a couple of hundred — may have been exposed(new window). This was likely due to many of these customers using easily deciphered passwords for their LastPass account. Which made them vulnerable to brute-force attacks in which criminals use software to “guess” passwords.
In a now-deleted blog post — a pattern of behavior we’ll see more of in this timeline — LastPass recommended that stronger passwords(new window) were used to secure accounts, as well as making sure that any access attempt was verified through an IP address. In the time since 2011, methods to protect against brute-force attacks have improved, but for then it was a reasonable response.
2015: Brute force attack of unknown duration
In June 2015, four years after the last hack, LastPass again was attacked(new window) and in much the same way. Criminals tried to brute-force access and managed to get through to the accounts of people who had used weak passwords. LastPass again responded fairly comprehensively, alerting law enforcement and resetting everybody’s master password, forcing users to login via email.
However, LastPass also began a pattern of not revealing any details of the attack, most importantly how many people were affected and how long the attack lasted before it was discovered. The success of a brute force attack can be measured by the time attackers have to carry it out; the sooner you react, the less successful it is. The fact that LastPass didn’t release these details gave the impression it may have lasted longer than would be considered safe.
2016: White hat hacks
The year after the brute force attack there were a number of incidents in which security researchers — white hat hackers who test security with an aim to improve it, not to steal data — managed to get through.
The first was revealed in January. It consisted of a simple phishing attack(new window) in which LastPass users could easily be fooled into giving up their credentials. The details of how it worked are explained in Hackread(new window), but most interesting is probably LastPass’ reaction. The company deflected criticism by claiming it was a phishing attack and thus outside its purview, ignoring the fact that companies can plan for these contingencies.
The second incident(new window) in July 2016 was a similar scenario, in which Google-employed security researcher Tavis Ormandy — a name we’ll run into again shortly — fooled LastPass’ Firefox add-on to give up user details. LastPass’ reaction was to issue a security advisory in a now-deleted blog post (another vain attempt to delete history) to update the extension.
The final, and worst, flaw was in the same month and found by security researcher Mathias Karlsson. The details are here(new window), but the short version is that LastPass left a nasty bug in its code that let a savvy hacker extract any passwords used on a site via LastPass’ autofill. Happily, LastPass fixed the issue as soon as Karlsson reported it, and also paid him a bounty for finding it.
2017: More bugs, both minor and major
Tavis Ormandy seems to have made LastPass his pet project at some point, as he kept up a steady pace of revelations throughout 2016 and 2017. Most of these were pretty simple and mainly notable for the sheer number of them. LastPass doesn’t seem to have taken quality control very seriously, or at least assumed that people like Ormandy would do it for them.
However, there was one flaw that was deemed serious enough to make it onto the pages of The Guardian(new window) in March 2017. Sadly, we don’t know too much about what exactly happened as apparently giving up details might make LastPass users even less safe than they already were. If you think transparency is a vital part of security — and we do — this should be enough reason never to use LastPass.
2019: Ormandy strikes again
Ormandy kept up his work of embarrassing LastPass, finding many minor bugs. However, in September 2019 he again found something bad enough to be mentioned in the press. Like in 2016, this was a bug in a browser extension, this time those for Opera and Chrome, which let attackers extract login information(new window) of any sites users had previously visited.
LastPass patched the bug as soon as Ormandy reported it, but was rather sanguine when telling its users, as it “only” affected the extensions for Chrome and Opera; no mention that Chrome is by far the most widely used browser(new window) out there.
2021: LastPass caught harvesting data
In February 2021 security researcher Mike Kuketz came with another shocking revelation(new window), namely that LastPass had been using trackers in its password manager. Though the company claimed that it merely did this to see how people were using the product, the fact is such trackers can also be used to gather advertising data.
This is the most likely explanation, too. As Kuketz says, there is no reason to gather information the way LastPass did because there are far more secure and less intrusive ways to do this.
2022: The final nail?
Eventually, though, LastPass’ track record of slap-dash security came back to haunt it. Over the course of several months the company had to admit to several serious breaches, then was caught covering up exactly how bad they had been. We have the full story here(new window), but here is a summary:
In August 2022, the company admitted that a hacker had gained access to the company’s development environment (think of it as a workshop where software is assembled and tinkered with before it’s launched), but had not been able to gain access to customer information. In December, the company admitted that the development environment had been breached again and that this time attackers had stolen customer data.
Then, in March 2023, it turned out that the company had lied in earlier statements and that attackers had stolen a lot more, including sneaking a peek not just at customer data, but even the security architecture of LastPass itself. This pretty much makes LastPass vulnerable forever unless it completely overhauls its architecture.
What to use instead of LastPass
As you can see, the latest LastPass breach doesn’t stand by itself; the company has a long history of not taking security seriously and putting their customers last. Time and again it has failed to put out competent products and then, when caught, downplayed the effect on customers — when not lying outright.
If you’re still a LastPass user, you deserve better. This is why we developed Proton Pass, a password manager that takes security seriously and treats people with respect. We do this through transparency, with all client code being open-source(new window), meaning anybody can check our work. Our code is also independently audited by third-party security experts. Our security is further enhanced by Proton’s bug bounty program that incentivizes security researchers to stress test our code.
Learn more about Proton Pass security.
As a company founded by scientists, transparency and peer review are core values, and we’re guided by a mission to make the web more private and secure.
As a Proton user, you get access to cutting-edge tech that uses two-factor authentication(new window) to keep you safe from brute-force attacks, as well as sophisticated anti-phishing technology(new window) and integrated privacy features such as Hide-my-email aliases.
If all that sounds good, join us today. We have a guide on how you can easily export your LastPass data to Proton Pass.
