Security researcher recommends against using LastPass after detailing 7 trackers

A security researcher recommends the LastPass password manager after detailing seven trackers found in the Android app, The register reports. While there is no indication that the trackers, which were analyzed by researcher Mike Kuketz, transfer a user’s actual passwords or usernames, Kuketz says their presence is bad practice for a critical app. for the security that manages such sensitive information.

In response to the report, a spokesperson for LastPass said the company collects limited data “on how LastPass is used” to help it “improve and optimize the product.” Mostly, LastPass says The register that “no sensitive user personally identifiable data or vault activity can be transmitted through these trackers”, and users can disable the analysis in the Privacy section of the Advanced settings menu.

LastPass’s trackers include four from Google that handle analytics and incident reporting, as well as one from a company called Segment, which collects data for marketing teams. Kuketz analyzed the transmitted data and found that it included information about the make and model of the smartphone, as well as information about enabling biometric security for a user. Even though the data transmitted is not personally identifiable, the mere integration of this third-party code in the first place introduces the potential for security vulnerabilities, according to Kuketz.

“If you’re actually using LastPass, I recommend changing the password manager,” Kuketz wrote (via machine translation). “There are solutions that do not permanently send data to third parties and record user behavior.”

LastPass isn’t the only password manager to include trackers like this, but it seems to have more of them than many popular competitors. The free Bitwarden alternative only has two according to Exodus Privacy, while RoboForm and Dashlane have four, and 1Password does not.

The report follows LastPass’s announcement to severely limit the functionality of its free offering. Although free users can currently store an unlimited number of passwords on all devices without limitation, soon they will have to choose a device category to view and manage their passwords – “Mobile” or “Computer” – unless that they do not wish to pay for the service. The changes will take effect on March 16.