If you’re shopping for a password manager, you’ve probably come across LastPass. However, before you consider it as an option, you should first be aware that the company has a turbulent history, with many serious data breaches occurring since 2011. Based on this poor track record of security problems, there is a very real risk of a LastPass breach happening again.
If you already have it installed, the safest option is to delete LastPass and to export and then delete any data the company holds so it’s no longer at risk.
We don’t often advise so strongly against other online services. No system is 100% secure, but the persistent security issues at LastPass should raise alarm bells for anyone considering storing their most sensitive data there. Let’s look at why we’ve made this recommendation.
After the last LastPass breach, is it now safe to use?
There is an abundance of evidence and research that shows LastPass is not safe to use. The company has dropped the ball on several occasions, leading to some of the biggest breaches in web history.
Many of these issues appear to stem from the company’s inability to learn from its mistakes, neglecting to implement much-needed security measures that are usually standard in any password manager, including ours, Proton Pass.
A timeline of LastPass security incidents
LastPass was founded in 2008 and has had some kind of security scandal in most years since 2011. Though not every one of these incidents was a full-blown data breach, the company does not appear to take security particularly seriously. Let’s examine all the major LastPass breaches and security events since 2011.
2011: A small, limited breach
The first LastPass breach was a small and limited. In May 2011, the account details of perhaps a couple hundred LastPass users may have been exposed(nieuw venster). This was likely due to many of these customers using easily deciphered passwords for their LastPass account. These passwords made them vulnerable to brute-force attacks in which criminals use software to “guess” passwords.
In a now-deleted blog post — erasing the record is a pattern of behavior for LastPass, as you’ll see below — LastPass recommended to their users that stronger passwords should be used to secure accounts, as well as making sure that any access attempt was verified through an IP address. In the time since 2011, methods to protect against brute-force attacks have improved, but for then it was a reasonable response.
2015: Brute force attack of unknown duration
In June 2015, four years after the last hack, another LastPass breach occurred when the company was attacked(nieuw venster) again in a similar way. Criminals tried to brute-force access and managed to access the accounts of people who had used weak passwords. LastPass again responded fairly comprehensively, alerting law enforcement and resetting users’ master passwords, forcing them to log in via email.
This is where LastPass also began its long-running pattern of not revealing any details of an attack, most importantly how many people were affected and how long the attack lasted before it was discovered. The success of a brute force attack can be measured by the time attackers have to carry it out; the sooner you react, the less successful it is. The fact that LastPass didn’t release these details gave the impression it may have lasted longer than would be considered safe.
2016: White hat hacks
The year after the brute force attack there were a number of incidents in which security researchers — white hat hackers who test security with an aim to improve it, not to steal data — managed to get through.
The first was revealed in January. It consisted of a simple phishing attack in which LastPass users could easily be fooled into giving up their credentials. The details of how the attack worked are explained in Hackread(nieuw venster). But what’s more interesting is LastPass’ reaction to the attack. The company deflected criticism by claiming it was a phishing attack and thus outside its purview, ignoring the fact that companies can and in fact should plan for these contingencies.
The second incident(nieuw venster) in July 2016 was a similar scenario, in which Google-employed security researcher Tavis Ormandy — a name we’ll run into again shortly — fooled LastPass’ Firefox add-on to give up user details. LastPass’ reaction was to issue a security advisory in a now-deleted blog post (another vain attempt to delete history) to update the extension.
The final, and worst, flaw was in the same month and found by security researcher Mathias Karlsson. The details are here(nieuw venster), but the short version is that LastPass left a nasty bug in its code that let a savvy hacker extract any passwords used on a site via LastPass’ autofill. LastPass fixed the issue as soon as Karlsson reported it, and also paid him a bounty for finding it.
2017: More bugs, both minor and major
Tavis Ormandy seems to have made testing LastPass his pet project at some point, as he kept up a steady pace of revelations throughout 2016 and 2017. Most of these were simple and mainly notable for the sheer number of them. LastPass doesn’t seem to have taken quality control very seriously, or at least assumed that people like Ormandy would do it for them.
However, there was one flaw that was deemed serious enough to make it onto the pages of The Guardian(nieuw venster) in March 2017. Sadly, we don’t know too much about what exactly happened as apparently giving up details might make LastPass users even less safe than they already were. If you think transparency is a vital part of security — and we do — this should be enough reason never to use LastPass.
2019: Ormandy strikes again
Ormandy kept up his work of embarrassing LastPass, finding many minor bugs. However, in September 2019 he again found something bad enough to be mentioned in the press. Like in 2016, this was a bug in a browser extension, this time those for Opera and Chrome, which let attackers extract login information(nieuw venster) of any sites users had previously visited.
LastPass patched the bug as soon as Ormandy reported it, but was rather relaxed when telling its users, as it “only” affected the extensions for Chrome and Opera; no mention that Chrome is by far the most widely used browser(nieuw venster) globally.
2021: LastPass caught harvesting data
In February 2021 security researcher Mike Kuketz came out with another shocking revelation(nieuw venster), namely that LastPass had been using trackers in its password manager. Though the company claimed that it merely did this to see how people were using the product, the fact is such trackers can also be used to gather advertising data.
This is the most likely explanation, too. As Kuketz says, there is no reason to gather information the way LastPass did because there are far more secure and less intrusive ways to do this. It’s likely the data was being used in some way for marketing purposes.
The appearance of activity trackers in a password manager isn’t a unique occurrence: Bitwarden(nieuw venster) and Dashlane, two other popular password managers, both include trackers. But a good password manager won’t include any, as Proton Pass doesn’t.
2022: The final nail?
Eventually, though, LastPass’ track record of slap-dash security came back to haunt it. Over the course of several months the company had to admit to several serious breaches, then was caught covering up exactly how bad they had been. We have the full story here, but here is a summary:
In August 2022, the company admitted that a hacker had gained access to the company’s development environment (think of it as a workshop where software is assembled and tinkered with before it’s launched), but had not been able to gain access to customer information. In December, the company admitted that the development environment had been breached again and that this time attackers had stolen customer data.
Then, in March 2023, it turned out that the company had lied in earlier statements and that attackers had stolen a lot more, including sneaking a peek not just at customer data, but even the security architecture of LastPass itself. This pretty much makes LastPass vulnerable forever unless it completely overhauls its architecture.
The business has since gone independent(nieuw venster), leaving its parent company GoTo in May 2024. A rash of new hires and several press releases promising change strongly suggest that the company wants a fresh start, but has it done the work to deserve it? Only time will tell.
What to use instead of LastPass
As you can see, the latest LastPass breach doesn’t stand by itself; the company has a long history of not taking security seriously and putting their customers last. Time and again it has failed to put out competent products and then, when caught, downplayed the effect on customers — when not lying outright.
If you’ve been affected by a LastPass breach or if you’re worried you will be, you deserve better. This is why we developed Proton Pass, a password manager that takes security seriously and treats people with respect. We do this through transparency, with all client code being open-source, meaning anybody can check our work. Our code is also independently audited by third-party security experts. Our security is further enhanced by Proton’s bug bounty program that incentivizes security researchers to stress test our code.
Learn more about Proton Pass security.
As a company founded by scientists, transparency and peer review are core values, and we’re guided by a mission to make the web more private and secure.
As a Proton user, you get access to cutting-edge tech that uses two-factor authentication to keep you safe from brute-force attacks, as well as sophisticated anti-phishing technology and integrated privacy features such as Hide-my-email aliases.
If all that sounds good, join us today. We have a guide on how you can easily export your LastPass data to Proton Pass.