SCH.cx – Security Researchers Suggested Not To Use This App After Discovering 7 Trackers in LastPass. According to The Register, a security researcher, Kuketz, after discovering seven trackers in the LastPass password manager application, recommends not to use the LastPass password manager. Although there is no suggestion that these trackers are transferring users’ actual passwords or usernames, the existence of trackers is a bad practice for a security-critical application that processes such sensitive information.
In response to the report, a LastPass spokesperson said that the company collects limited data, which is the use of LastPass to help it improve and optimize its products. Importantly, LastPass told The Register that no sensitive personally identifiable user data or activities can be passed through these trackers, and users can opt-out of analysis in the privacy section of the advanced settings menu.
LastPass’s trackers include 4 trackers from Google that handle analysis and collision reports, and one from a company called Segment, which is said to collect data for the marketing team. Kuketz analysis of the data being transmitted, and found, including smartphones whether the make and model information and user information about biometric security features enabled. Kuketz said that even if the transmitted data is not personally identifiable information, just integrating these third-party codes at the first time introduces the possibility of security vulnerabilities.
LastPass is not the only password manager that includes such trackers, but it seems to have more than many popular competitors. According to data from Exodus Privacy, there are only two free alternative products Bitwarden, while RoboForm and Dashlane have four, and 1Password does not. The report was released after LastPass announced strict restrictions on the features of its free tier. Although free users can currently store an unlimited number of passwords across devices without limitation, they will soon have to choose a device to view and manage passwords, namely mobile phones or computers, unless they want to pay for this service. These changes will take effect on March 16.