Before I review and test a password manager, I send a list of questions to the company inquiring about its privacy and security practices. Consumers should have plenty of information about the companies handling their data. For insight into LastPass’s privacy policies, read the company’s answers (edited for length) to my questions below.
Has your company ever had a security breach?
Yes.
If so, when? Please provide dates.
2015 (GoTo was breached), 2022.
What was exposed in the breach?
2015 – Before being acquired by LogMeIn, Inc. (now known as GoTo), GoTo experienced an incident in 2015 where a hard drive was stolen from one of their data centers. This drive did not include users’ vaults but did include unencrypted data related to their accounts.
2022 – LastPass disclosed that a threat actor had gained access to a cloud storage environment used for backups and exfiltrated both encrypted and unencrypted customer data.
Since then, LastPass made a multi-million-dollar investment in security enhancements across its people, processes, and technology including completing its separation from GoTo, operating as an independent company with a newly refreshed management team, entirely new modernized cloud-based infrastructure, systems, and tools, as well as a fully dedicated Trust and Security team. This includes a new Threat Intelligence team focused entirely on protecting its customers and their data. In connection with this separation, LastPass completed a number of steps to further modernize and harden its infrastructure.
What unencrypted information does the password manager store in customer vaults?
Encryption and decryption are ONLY performed on the end-user’s device. LastPass does not have access to or store the master password, which derives the encryption key used to encrypt/decrypt customer data. This is aligned with our Zero Knowledge principles.
LastPass customer vault data is encrypted using AES-256 on a per-user basis (meaning every user’s encryption keys are unique.) Encrypted fields within the vault include usernames, passwords, website names, notes, payment cards, addresses, bank accounts, item and folder names, secure notes, etc.
Up until June 2024, URL-related fields within the vault were not encrypted. As of June 2024, all newly created and any customer-modified URLs stored within the primary URL field have been encrypted in all customer vaults.
There are 6 remaining URL-related fields, which are either pre-populated by LastPass or empty upon initial use and potentially added by customers. The remaining fields have architectural dependencies that will take longer to remediate, and encrypting these fields will require additional product refactoring and/or sunsetting of certain older features/functionality, and will continue throughout 2025, given required end-of-life (EoL) notification practices.
What is the company’s policy regarding selling or sharing customer data with third parties?
At LastPass, we always strive to limit the types and categories of data that is collected from, and processed on behalf of, our users to include only data which is necessary to achieve the purpose(s) for which it was collected – in other words, we have measures and policies in place designed to ensure that we only collect and process data that we believe is necessary to provide our users with a world-class service.
LastPass does not sell end-user data to third parties, including any vault data. Under some US state data protection laws, our use of third-party cookies for advertising purposes may constitute a “sale”. We specifically inform visitors of the use of those technologies and the specific cookies that may be deployed within our cookie banner, and, depending on the visitor’s location, cookies are only deployed after a visitor opts in to their use. Furthermore, we afford individuals to manage their privacy rights by changing opting-out of the sale or sharing of their personal data through the cookie banner, the Cookie Preferences link present at the bottom of our web page, or submitting a requestion through our Individual Rights Management Portal.
How does your company respond to requests for customer information from governments and law enforcement?
LastPass will not disclose customer information to governments and/or law enforcement unless presented with a valid warrant, subpoena, court order, or equivalent legal process. Each request is considered on a case-by-case basis, and LastPass is committed to responsibly balancing our legal and regulatory obligations with the commitments to promote public safety and user privacy, which may include attempting to narrow requests that it deems excessively broad, request further clarification if the nature of the investigation is ambiguous, or contest the request for other reasons.
Further, due to our zero-knowledge security model, we do not possess, and cannot obtain, the master password needed to be able to decrypt any encrypted customer vault data. Therefore, we cannot provide such information in response to a government request.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
LastPass told me that the 6 remaining unencrypted URL-related vault fields will be 100% encrypted by October 2025. These are presumably the same fields that were unencrypted during the 2024 review period. Storing unencrypted vault data on a server in the cloud is a security flaw, so the score remains lowered by a half point.
LastPass’s other answers are in line with the company’s privacy policy. Always browse privacy policies for all apps to learn more about how companies collect, sell, or store your data.
.jpg "4 Ways to Sell or Trade In Your Old iPhone")
