LastPass has been jumping from controversy to controversy in recent weeks. It all started in mid-February, when the company announced a change in its policy that affects the free version of its service — as of March 16, users who do not pay for the Premium version will only be able to use the mobile app or the PC app, but not both at the same time.
Now the latest discovery about LastPass has questioned its security and privacy. According to The Register, the security researcher Mike Kuketz detects seven trackers built into LastPass and recommends changing your password manager.
Prepared on the basis of Exodus Privacy data, four of LastPass’s trackers are from Google and are used for analytics and to generate reports when the app closes unexpectedly. This in itself is not surprising since many apps have trackers necessary to better understand how the app works and if there are problems or bugs. It is not what we would expect from a totally private app, but the real problem is in the three remaining trackers, which send information to third parties.
LastPass integrates AppsFlyer, MixPanel, and Segment trackers, which collect device and usage information and send it to external servers for analysis.
Kuketz says he has analyzed the information transmitted by the trackers built into LastPass. In that sense, it ensures that they send data about the phone, such as the brand, model, and operating system, along with the IP address, the country, the name of the operator, as well as information about whether or not the user has the biometric authentication function enabled.
Worse still is that along with the data, a ‘mysterious’ user identifier is also sent, which could be used to track the user in other services or apps, bypassing Google’s measures.
For Kuketz, this is very serious. Although passwords are not found in the shared data, trackers follow the user at all times while the user is using LastPass.
Furthermore, this practice is unusual in this sector. Kuketz has compared other password manager apps and found that 1Password and KeePass do not have a tracker, while Dashlane has four trackers and BitWarden two.
LastPass response
A LastPass spokesperson has told The Register that “sensitive personal identification data of the user or activity from the vault cannot be passed through the trackers.” In addition, they have specified their use:
“These trackers collect limited aggregated statistical data on how LastPass is used, which is used to help us improve and optimize the product.”
LastPass has stated that all users, regardless of the browser or device they use, can choose not to participate in data analysis. If you want to disable them, you can find the corresponding option in Account settings > Show advanced settings > Privacy.
