Read more: LastPass review: A leading password manager with a changing value proposition How to update your LastPass master password And remember: If you're using a password manager, never reuse the master password for any other site, service or app. If you've reused your LastPass master password for any other password managers - such as Bitwarden or 1Password - we advise you to update those accounts as well. Only bare-bones, organizational audits have traditionally been publicly available, along with a list of companies LastPass works with.Īs a preventive security measure, LastPass users should regularly update their master password and enable multifactor authentication on their accounts. And while LogMeIn keeps a collection of audits for several of its properties, the company says its additional cloud security audit for LastPass is only available if you sign a nondisclosure agreement. Unlike audits conducted across competitors RememBear, NordPass and open-source Bitwarden, LastPass' independent, third-party audits are limited in their public availability. Regarding Tuesday's security scare, LastPass said it will monitor the service for unusual or malicious activity and continue to take any necessary steps to ensure user data security. In February 2021, LastPass was in the privacy hot seat again for its use of web trackers.
Ormandy returned to LastPass scrutiny later in 2019, discovering a third browser extension vulnerability - which LastPass again resolved - that would expose login credentials you entered on a previously visited site. This foreshadowed University of York research in 2019, which found another vulnerability that would allow malicious copycat apps to exploit LastPass' autofill feature. In 2017, the password manager patched another major security flaw in its browser extension - the Achilles' heel of most password managers - that could have allowed hackers to manipulate a LastPass account. One was discovered by security researcher Mathias Karlsson, the other by Google Project Zero's Tavis Ormandy, the latter of which prompted LastPass to urge users to update their browsers.
Read more: Bitwarden review: The best free password manager for 2021 That same year, though, Asana Security Head Sean Cassidy discovered a phishing vulnerability created by a CSRF bug, and a research paper emerged detailing another CSRF bug and how LastPass' Safari bookmarklet option was found vulnerable if users were tricked into clicking certain parts of an attacker's site. Its most notable breach was in 2015 and is the only breach noted on LastPass' official site.
This isn't the first time LastPass - whose source code is proprietary, rather than open-source - has faced a security scare or criticism over its privacy practices. "However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems." "We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that users' LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns," DeMichele said.