If you’re looking for a password management tool, there might be better options than LastPass, as you could be worried that this solution is harmful and dangerous.
There have been seven security breaches over the last two decades concerning LastPass. Users have had their passwords compromised due to insecure practices, leaving them susceptible to being hacked. Over the years, apps, browser extensions, and source code have all been breached.
So let’s find out by looking into each security breach one by one.
List of LastPass Security Breaches
Here you can find seven notable security breaches that have occurred over the past two decades:
1) 2011 Incident:
On May 3, 2011, security firm LastPass discovered two strange events in their network traffic. Although administrators could not determine the cause of the issues, they did not find signs of a classic security breach.
For instance, a non-Administrator user was able to gain administrator privileges.
Due to the size of the anomalies, it was possible that data from the company’s database was stolen.
Although they did not find evidence of a data breach, the company decided to take the necessary steps to ensure that the security of its customers was protected.
In response to the issue, the company took its servers offline so that they could be rebuilt. On May 4, 2011, all its users were asked to change their passwords.
2) 2015 Incident:
In 2015, the company found evidence of a security issue. However, there was no data stolen from its vault.
In a blog post on June 15, 2015, the company said it had stopped suspicious activity on its network the previous week. The investigation revealed that its customers’ email addresses, login details, and authentication hashes had been stolen.
In response to the incident, the company claimed that its security measures were sufficient to protect its customers.
The company added that its authentication hash was strengthened using 100,000 random salt rounds and a server-side PBKDF2-SHA256.
This additional security feature made it incredibly difficult for attackers to steal their users’ passwords.
3) 2016 Incident:
In 2016, a security firm published a blog post that revealed a method that could be used to access the plaintext passwords of users who visited a malicious website.
The vulnerability was made possible by the company’s poorly written code in the extension.
Detectify only disclosed the vulnerability publicly after the company notified it, and LastPass fixed it.
The firm also noted that a member of Google’s security team had uncovered another issue with the company’s browser extension.
4) 2017 Incident:
In March 2017, Ormandy (a well-known security hacker) discovered another vulnerability in the browser extension used by the company.
The company fixed the flaw, which was applied to all its clients, such as Edge, Chrome, and Firefox. The second breach, which was patched, allowed remote code execution if a user visited a malicious website.
5) 2019 Incident:
On August 30, 2019, Ormandy revealed another vulnerability in the browser extension used by the company, which was fixed.
Although the vulnerability was only limited to specific browsers, such as Opera and Chrome, all platforms that use the extension received the updated security patch.
6) 2021 Incident:
In 2021, it was revealed that the app for Android had third-party trackers.
According to a report by BleepingComputer, users of the password management tool were notified that their master passwords had been compromised.
7) 2022 Incident:
In 2022, the company revealed a security incident involving a third party, which allowed an unauthorized individual to access its development environment.
The company informed its customers about the incident in a blog post. Although the individual had access to the company’s source code and technical information, no user passwords or personal information was taken.
As you can see, LastPass has dealt with several security issues over the years. Despite this, the company has managed to maintain a solid user base and continues to be one of the most popular password managers on the market.
You can never be too careful when it comes to online security, so make sure always to use a password manager such as Keeper Security and choose a strong master password.
And if you’re using LastPass, remember to enable two-factor authentication!
What is Better than LastPass?
You should use 1password as a better alternative to LastPass as it uses a zero-knowledge security architecture. Your data is never stored on their servers in plaintext, so your data would be safe even if 1password were hacked.
With 1Password, you only need one master password to unlock your other passwords, which are stored in an encrypted “vault.”
The platform also offers two-factor authentication and other features to help keep your account safe from hackers.
It’s trusted by top tech brands such as IBM, Slack, GitLab, Shopify, and Intercom, so you can be sure that your data is in good hands.
There is a 14-day free trial available, so you can try it out and see if it’s the right fit. After that, pricing starts at $2.99/month or $4.99 for families making it good value for money.
Are You Ready to “Beef Up” Your Password Security?
Password management tools are a necessary part of internet security. They help to keep track of all of your passwords and can help you create more secure passwords.
However, LastPass is not the best option for a password management tool.
As we have covered, there have been numerous security breaches over the last two decades concerning LastPass. Users have had their passwords compromised due to insecure practices, leaving them susceptible.
Over the years, apps, browser extensions, and source code have all been breached. This means that your password could be compromised.
1password is a good alternative that is more secure and reliable. In either case, you should also have a decent anti-virus program running alongside a PM- but maybe not McAfee.
It is available on various platforms such as macOS, iOS, Windows, Android, Linux, Chrome OS, and the command line. There are also browser extensions available for both Chrome and Firefox.