Key Takeaways
- LastPass has experienced multiple data breaches in the past, including one in 2015 that exposed user emails and master passwords. However, the majority of users who employed extra security layers were likely safe from the breach.
- LastPass faced criticism in 2021 when it was discovered that their Android app contained third-party trackers, raising concerns about security. LastPass responded by stating that the trackers were used for application telemetry and could be disabled by users.
- LastPass experienced a significant breach in 2022, where attackers accessed customer data and user vault information. This breach led to further consequences for LastPass and its mother company, GoTo, including stolen encrypted backups and evidence of an accessed encryption key.
- Overall, while LastPass is generally considered safe, the multiple breaches and security incidents have led some users to seek alternative password managers that have not been compromised.
Many of us use password managers to keep our private data safe, with LastPass being one the most popular options out there. But LastPass has suffered its fair share of data breaches, putting customers' sensitive information at risk.
So, how many times has LastPass been hacked, and is it still safe to use?
1. LastPass 2015 Breach
The first LastPass hack occurred in June 2015, seven years after the company's founding. This severe breach exposed the emails and master passwords of LastPass users, as well as the hint or reminder words used to remember master passwords. The hack was noticed when LastPass picked up on suspicious network activity, which was soon blocked. However, some damage had already been done.
In a now-expired note to customers (available via the Internet Archive), LastPass informed users that those who used extra security layers like hashing and salting on their passwords were likely safe from the hack. Luckily, the majority of LastPass users employ these security methods, meaning only a small portion of customers stood the chance of being affected.
LastPass also stated that it did not believe any user accounts were accessed due to the attack but urged users to verify their email addresses and renew any week or repeatedly used master passwords to boost security.
A few weeks after the hack, LastPass published a blog post stating that its security had improved since the hack, with an array of small and large changes being made to protect customers further. Included in these changes was the introduction of Hardware Security Modules (HSMs), which protect LastPass's cryptographic infrastructure.
2. LastPass 2021 Tracking Incident
Though LastPass wasn't hacked in 2021, it did run into problems when it was found its Android app contained third-party trackers. In February 2021, a security analysis app named Exodus Privacy revealed that it had found seven trackers in the LastPass Android app, sparking suspicion among users. Security researcher Mike Kuketz commented on the discovery in a Kuketz IT Security blog post, stating that "it's completely out of the question to integrate [ads and trackers] into password manager apps."
Kuketz also listed the seven trackers found in the LastPass Android app, which included trackers from Google Analytics, Segment, and AppsFlyer. Granting access to marketing analytics platforms in this way was condemned by Kuketz, who wrote that LastPass's approach is "extremely questionable in terms of security."
Kuketz underlined that the LastPass Android app needed to be checked manually to discern whether the trackers were actively keeping tabs on users. The presence of the trackers alone, however, was noted by Kuketz to be bad practice for an app that needs to prioritize security.
In response to this criticism, LastPass informed users that it does use analytics tools. LastPass emphasized that this was done to get insights into "application telemetry, error and crash reporting data, as well as high-level usage statistical information to ultimately improve the overall performance, reliability and usability of [the app]."
It was also stated that the analytics element of the LastPass app was an optional feature that users could disable in their advanced settings. But regardless of this, the presence of trackers in the LastPass Android app left a bad taste in the mouths of security analysts and users.
3. LastPass 2022 Breaches
It took some time for LastPass to run into another cyberattack after the initial 2015 incident. But in 2022, another attack did indeed come. This was a particularly tough year for LastPass, with an initial hack in August causing shock waves that would continue into 2023.
In early August 2022, LastPass became aware of a breach where a hacker had compromised a LastPass developer's laptop to steal source code and access the company's cloud-based development platform. The hacker bypassed the multifactor authentication security on the engineer's account by successfully authenticating themselves as the user. While this was a very concerning incident, the hacker retrieved no customer information.
But a few months later, things got worse. In December 2022, LastPass announced that the August hack had given attackers a way into more sensitive areas of its infrastructure, first exploited in November. This time, hackers accessed LastPass customer data, including email and IP addresses, telephone numbers, and names. On top of this, certain kinds of user vault data were exposed, including stored usernames and passwords for online accounts.
Needless to say, LastPass was now in very hot water, and things wouldn't stop in 2023.
The 2023 Aftereffects
Though 2023 didn't bring any new hacks for LastPass, it did bring more and more unsettling information about 2022's exploits.
In January 2023, LastPass's mother company, GoTo, released a statement about the consequences of the 2022 hacks. GoTo's statement explained that several of the company's other services, including Central, Hamachi, Pro, join.me, and RemotelyAnywhere, were also targeted by attackers via a third-party cloud storage device. From this device, attackers stole encrypted backups. What's more, GoTo revealed that it had found evidence suggesting an encryption key for some of the stolen backups was also accessed.
In February 2023, LastPass found itself in the news headlines again when it was revealed that, between the first and second 2022 hacks, more malicious actions had been taken by attackers.
As documented in the X post above, the November 2022 hackers compromised a senior LastPass developer's home computer via a software media vulnerability. After hacking the computer, hackers installed a keylogger, enabling them to view what the developer was typing on their keyboard.
This gave attackers access to the developer's LastPass corporate vault master password, allowing attackers to access the vault itself. What's shocking here is that only four LastPass senior developers had access to the corporate vault, and attackers still managed to successfully target one such developer.
Hackers also used the user credentials stolen in 2022 to steal $4.4 million in cryptocurrency in October 2023. It is thought that the attackers accessed crypto wallet seed phrases and keys in the second 2022 breach, allowing them to hack into wallets and withdraw crypto to their desired address.
LastPass has a full list of data accessed in the 2022 hacks if you'd like to see all that was exposed due to the 2022 incidents.
Is LastPass Still Safe to Use?
Though LastPass has been in service since 2008, most of its data breaches and security incidents have occurred in the 2020s. Given its multiple past security issues, it's natural to feel a little nervous about using LastPass, so what's the verdict here? Is LastPass safe to use, or should you opt for something else?
While it's safer to use LastPass than a simple notes app or similar storage option, there may well be better password managers out there today. With so many blights on its security record, LastPass has become a no-go for many, as there's no knowing when another breach will occur. With 2022 causing so many issues for LastPass and its users, it's no surprise that some users have jumped ship, opting for password managers that haven't yet been hacked.
Dashlane and NordPass are just two examples of highly reputable password managers that have never suffered a security breach, so it's certainly possible to find a password manager that hasn't had its customer data or employee portals exposed to hackers.
If you're currently using LastPass but want to head elsewhere, check out our guide on deleting your LastPass account. We also have a handy guide on the safest password managers if you need help choosing a replacement.
However, LastPass's security incidents do not make it an unsafe password manager. The app still has many useful features for protecting sensitive credentials and is easy to use regardless of tech savviness.
LastPass Isn't the King of Password Management
There's nothing inherently wrong with using LastPass to store passwords, as the app is generally quite safe. However, it's worth noting the super secure alternatives out there if you want to ensure your sensitive information is being stored as effectively as possible.
