LastPass

LastPass
Company typePrivate
Industry
Founded2008; 16 years ago (2008)
Headquarters125 High Street,
Boston, Massachusetts
,
United States
Key people
Karim Toubba, CEO (2022-Present)
Revenue$200 million (2021)
Owners
Number of employees
800+ (2024)
Websitelastpass.com
Footnotes / references
[1][2]

LastPass is a password manager application.[3] The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets.

Founded in 2008 by four developers,[4][5] Lastpass was acquired by GoTo (formerly LogMeIn Inc.) for $110 million in 2015.[6] LastPass was spun-off from GoTo into a stand-alone business in 2024.[7]

LastPass suffered significant security incidents between 2011 and 2022. Notably, in late 2022, user data, billing information, and vaults (with some fields encrypted and others not)[a][8] were breached, leading many security professionals to call for users to change all their passwords and switch to other password managers.[9]

Overview

A user's content in LastPass, including passwords and secure notes, is protected by one master password. The content is synchronized to any device the user uses the LastPass software or app extensions on. Information is encrypted with AES-256 encryption with PBKDF2 SHA-256, salted hashes, and the ability to increase password iterations value. Encryption and decryption takes place at the device level.[10][11]

LastPass has a form filler that automates password entering and form filling, and it supports password generation, site sharing and site logging, and two-factor authentication. LastPass supports two-factor authentication via various methods including the LastPass Authenticator app for mobile phones as well as others including YubiKey.[12]

Unlike some other major password managers, LastPass offers a user-set password hint, allowing access when the master password is missing.[13]

History

On December 2, 2010, it was announced that LastPass had acquired Xmarks, a web browser extension that enabled password synchronization between browsers. The acquisition meant the survival of Xmarks, which had financial troubles, and although the two services remained separate, the acquisition led to a reduced price for paid premium subscriptions combining the two services.[14][15] On March 30, 2018, the Xmarks service was announced to be shut down on May 1, 2018, according to an email to LastPass users.[16]

On October 9, 2015, GoTo acquired LastPass for $110 million. The company was combined under the LastPass brand with a similar product, Meldium, which had already been acquired by GoTo.[17][18]

On March 16, 2016, LastPass released LastPass Authenticator, a free two-factor authentication app.[19]

On November 2, 2016, LastPass announced that free accounts would now support synchronizing user content to any device, a feature previously exclusive to paid accounts. Earlier, a free account on the service meant it would sync content to only one app.[20][21]

In August 2017, LastPass announced LastPass Families, a family plan for sharing passwords, bank account info, and other sensitive data among family members for a $48 annual subscription. They also doubled the price of the Premium version without adding any new features to it. Instead, some features of the free version were removed.[22]

On December 14, 2021, GoTo announced that LastPass would be established as an independent company.[23] The spin-off was completed in May 2024, with LastPass being directly controlled by Francisco Partners and Elliott Management, the private equity firms that took GoTo private in 2020.[7][24]

Reception

In March 2009, PC Magazine awarded LastPass five stars, an "Excellent" mark, and their "Editors' Choice" for password management.[25] A new review in 2016 following the release of LastPass 4.0 earned the service again five stars, an "Outstanding" mark, and "Editors' Choice" honor.[26]

In July 2010, LastPass's security model was extensively covered and approved of by Steve Gibson in his Security Now podcast episode 256.[27] He also revisited the subject and how it relates to the National Security Agency in Security Now podcast episode 421.[28]

In October 2015 when GoTo acquired LastPass, founder Joe Siegrist's blog was filled with user comments voicing criticism of GoTo.[29] Web sites ZDNet, Forbes and Infoworld posted articles mentioning the outcry by existing customers, some of whom said they would refuse to do business with GoTo, and raised other concerns about GoTo's reputation.[30][31][32]

In a 2017 Consumer Reports article commented LastPass a popular password manager (alongside Dashlane, KeePass, and 1Password), with the choice between them mostly down to personal preference.[13] In March 2019, Lastpass was awarded the Best Product in Identity Management award during the seventh annual Cyber Defense Magazine InfoSec Awards.[33]

Security incidents

2015 security breach

On Monday, June 15, 2015, LastPass posted a blog post indicating that the LastPass team had discovered and halted suspicious activity on their network the previous Friday. Their investigation revealed that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised; however, encrypted user vault data had not been affected.[34]

2021 third-party trackers and security incident

In 2021, it was discovered that the Android app contained third-party trackers.[35] Also, at the end of 2021, an article at the site BleepingComputer reported that LastPass users were warned that their master passwords were compromised.[36]

2022 customer data and partially-encrypted vault theft

In August 2022, a hacker stole a copy of a customer database, and some copies of the customers' password vaults. The stolen information includes names, email addresses, billing addresses, partial credit cards and website URLs.[37] Some of the data in the vaults was unencrypted, while other data was encrypted with users' master passwords. The security of each user's encrypted data depends on the strength of the user's master password, or whether the password had previously been leaked, and the number of rounds of encryption used. Details of the number of rounds for each customer was stolen. Some customer vaults were more vulnerable to decryption than others.[38][39]

In November 2022, LastPass assured users that passwords stored with the service were still secure.[40]

The customer data included customers' names, billing addresses, phone numbers, email addresses, IP addresses and partial credit card numbers, and the number of rounds of encryption used, MFA seeds and device identifiers.[38] The vault data included, for each breached user, unencrypted website URLs[b][8] and site names, and encrypted usernames, passwords and form data for those sites.[38]

The threat actor first gained unauthorized access to portions of their development environment, source code, and technical information through a single compromised developer's laptop.[41] LastPass responded by re-building their development environment and rotating certificates.[42] The actor, however, used the information to target and hack the computer of a senior DevOps engineer,[42] and used a key logger to obtain that engineer's master password. The actor then gained access to an encrypted corporate vault, which was shared between just four engineers. That vault contained keys to S3 buckets of the backups to customer files.[43] The actor obtained the user database of August 14, 2022, and several password vault backups taken between August 20 and September 16, 2022.[44]

Commentators expressed concerns that if a user's master password was weak or leaked,[38] the encrypted parts of the customer's data could be decrypted.[45] Initially, LastPass stated no action was necessary for the majority of its customers,[46] but other sources recommended changing all passwords and vigilance against possible phishing attacks.[38][47]

A class-action lawsuit was initiated in early 2023, with the anonymous plaintiff stating that LastPass failed to keep users' information safe.[48] Of particular concern in the lawsuit was the increased risk of the details being used in phishing attacks.[48]

In September 2023, a potential link was made between the 2022 data theft and a total of more than $35 million in cryptocurrency that had been stolen from over 150 victims since December 2022. The link was made due the fact that almost all victims were LastPass users.[49][50]

See also

Notes

  1. ^ URL encryption was added in 2024
  2. ^ URL encryption was added in 2024

References

  1. ^ Chesto, John (April 26, 2022). "LastPass has a new CEO". The Boston Globe. Retrieved 23 February 2023.
  2. ^ Chesto, John (December 14, 2021). "LastPass to stand alone as LogMeIn owners say they'll spin off the password management company". The Boston Globe. Retrieved 23 February 2023.
  3. ^ Siegrist, Joe (9 October 2015). "LastPass Joins the LogMeIn Family". blog.lastpass.com. LogMeIn. Archived from the original on 9 October 2015. Retrieved 8 August 2018.
  4. ^ Stross, Randall (June 11, 2011). "Why Encrypted Passwords Make a Difference". The New York Times. Retrieved May 1, 2024.
  5. ^ Orin, Andy (January 16, 2015). "Behind the App: The Story of LastPass". Lifehacker. Retrieved May 1, 2024.
  6. ^ Gagliordi, Natalie (October 9, 2015). "LastPass bought by LogMeIn for $110 million". ZDNET. Retrieved May 1, 2024.
  7. ^ a b Hale, Craig (May 2, 2024). "LastPass officially splits from former parent GoTo". TechRadar. Retrieved May 2, 2024.
  8. ^ a b Toulas, Bill (May 22, 2024). "LastPass is now encrypting URLs in password vaults for better security". BleepingComputer. Retrieved May 30, 2024.
  9. ^ Newman, Lily Hay. "Yes, It's Time to Ditch LastPass". Wired. ISSN 1059-1028. Archived from the original on 2024-01-23. Retrieved 2022-12-30.
  10. ^ "The best way to manage passwords". LogMeIn. Retrieved 8 August 2018.
  11. ^ Hoffman, Chris (9 August 2012). "11 Ways to Make Your LastPass Account Even More Secure". How-To Geek.
  12. ^ Eddy, Max (30 March 2016). "LastPass Authenticator (for iPhone)". PCMag. Ziff Davis.
  13. ^ a b Chaikivsky, Andrew (7 February 2017). "Everything You Need to Know About Password Managers". Consumer Reports.
  14. ^ Gott, Amber (2 December 2010). "LastPass Acquires Xmarks!". blog.lastpass.com. LogMeIn.
  15. ^ Purdy, Kevin (2 December 2010). "LastPass Acquires Xmarks, Keeping Free Bookmark-Syncing Plans Available". Lifehacker. Gizmodo Media Group.
  16. ^ Brinkmann, Martin (1 April 2018). "LogMeIn to shut down Xmarks on May 1, 2018". gHacks. Archived from the original on 1 April 2018.
  17. ^ Brodkin, Jon (9 October 2015). "LogMeIn buys LastPass password manager for $110 million". Ars Technica. Condé Nast.
  18. ^ Perez, Sarah (9 October 2015). "LogMeIn Acquires Password Management Software LastPass For $110 Million". TechCrunch. Oath Tech Network.
  19. ^ Whitwam, Ryan (16 March 2016). "LastPass Releases Its Own 2-Factor Mobile Authenticator App". AndroidPolice. Illogical Robot.
  20. ^ Siegriest, Joe (2 November 2016). "Get LastPass Everywhere: Multi-Device Access Is Now Free!". blog.lastpass.com. LogMeIn.
  21. ^ Kastrenakes, Jacob (2 November 2016). "There's now one less excuse not to use a password manager". The Verge. Vox Media.
  22. ^ Maring, Joe (3 August 2017). "LastPass announces pricing for 'Families' plan; doubles cost of Premium option". 9to5Google.
  23. ^ "LogMeIn Set to Establish LastPass as an Independent Cloud Security Company Amid Strong Market Demand". LogMeIn. 14 December 2021. Retrieved 11 October 2022.
  24. ^ Chesto, Jon (May 2, 2024). "LastPass completes spinoff from GoTo". The Boston Globe.
  25. ^ Rubenking, Neil (20 March 2009). "LastPass 1.50 Review". PCMag. Ziff Davis. Archived from the original on 24 March 2009.{{cite web}}: CS1 maint: unfit URL (link)
  26. ^ Rubenking, Neil (November 2, 2016). "LastPass 4.0 Review". PC Magazine. Retrieved November 2, 2016.
  27. ^ Gibson, Steve; Laporte, Leo (10 June 2010). "Security Now 256: LastPass Security". TWiT.tv.
  28. ^ Gibson, Steve; Laporte, Leo (11 September 2013). "Security Now 421: The Perfect Accusation". TWiT.tv.
  29. ^ Brodkin, Jon (9 October 2015). "LogMeIn buys LastPass password manager for $110 million". Ars Technica. Condé Nast. [verification needed]
  30. ^ "LastPass bought by LogMeIn for $110 million; ... outcry from LastPass users, some of whom say they refuse to do business with LogMeIn". ZDNet. 2015-10-09. Retrieved 2019-06-12. [verification needed]
  31. ^ "LastPass Joins LogMeIn, But Not Everyone Is Thrilled About It". Forbes. 2015-10-09. Retrieved 2019-06-12. [verification needed]
  32. ^ "LogMeIn acquires LastPass to beef up identity portfolio". InfoWorld. 2015-10-09. Retrieved 2019-06-12. [verification needed]
  33. ^ Shah, Megha (20 March 2019). "LastPass by LogMeIn Awarded 2019 InfoSec Recognition". Tech Funnel.
  34. ^ Goodin, Dan (June 15, 2015). "Hack of cloud-based LastPass exposes hashed master passwords". Ars Technica. Condé Nast.
  35. ^ Anderson, Tim (25 February 2021). "1Password has none, KeePass has none... So why are there seven embedded trackers in the LastPass Android app?". The Register. Retrieved 31 August 2023.
  36. ^ Gatlan, Sergiu. "LastPass users warned their master passwords are compromised". BleepingComputer. Retrieved 28 December 2021.
  37. ^ Goodin, Dan (26 August 2022). "The number of companies caught up in recent hacks keeps growing". Ars Technica. Retrieved 2024-09-19.
  38. ^ a b c d e Goodin, Dan (22 December 2022). "LastPass users: Your info and vault data is now in hackers' hands". Ars Technica. Retrieved 2022-12-22.
  39. ^ Clark, Mitchell (23 December 2022). "Hackers stole encrypted LastPass password vaults, and we're just now hearing about it". The Verge. Retrieved 2024-09-20.
  40. ^ Gatlan, Sergiu (2022-11-30). "Lastpass says hackers accessed customer data in new breach". BleepingComputer.
  41. ^ Toubba, Karim. "Notice of Recent Security Incident". LastPass Blog. Retrieved 26 August 2022.
  42. ^ a b Toubba, Karim (1 March 2023). "Security Incident Update and Recommended Actions". The LastPass Blog. Retrieved 2023-03-05.
  43. ^ Goodin, Dan (28 February 2023). "LastPass says employee's home computer was hacked and corporate vault taken". Ars Technica. Retrieved 2023-02-28.
  44. ^ "What data was accessed? - LastPass Support". support.lastpass.com. Retrieved 2023-03-05.
  45. ^ Sharwood, Simon. "LastPass admits attackers copied password vaults". www.theregister.com. Retrieved 2022-12-27.
  46. ^ Toubba, Karim (22 December 2022). "Notice of Recent Security Incident". The LastPass Blog. Retrieved 2022-12-22.
  47. ^ "LastPass finally admits: Those crooks who got in? They did steal your password vaults, after all…". Naked Security. 23 December 2022. Retrieved 2022-12-28.
  48. ^ a b Kan, Michael. "LastPass Faces Class-Action Lawsuit Over Password Vault Breach". PCMAG. Retrieved 2023-01-06.
  49. ^ Weatherbed, Jess (2023-09-07). "LastPass security breach linked to $35 million stolen in crypto heists". The Verge. Retrieved 2023-09-08.
  50. ^ "Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach – Krebs on Security". 9 September 2023. Retrieved 2024-09-20.

Read other articles:

Itakayt

Kompleks piramida Senusret III, piramida Itakayt adalah yang ketiga dari kanan atas Itakayt merupakan seorang putri Mesir Kuno dari Dinasti ke-12, pada sekitar tahun 1800 SM. Ia terutama dikenal dari piramida kecilnya di samping Senusret III di Dahshur.[1] Ia bergelar putri raja dari tubuhnya, berkuasa, anggun dan dicintai. Piramida Piramidanya di sisi utara piramida raja berukuran sekitar 16.80 meter di dasar, dan dulunya juga tingginya 16.80 meter tingginya. Dibangun dari batu bata ...

 

 

سجلات انبعاث الملوثات وانتقالها

هذه المقالة يتيمة إذ تصل إليها مقالات أخرى قليلة جدًا. فضلًا، ساعد بإضافة وصلة إليها في مقالات متعلقة بها. (مايو 2018) سجلات انبعاث الملوثات وانتقالها (بالإنجليزية: Pollutant release and transfer registers)‏ التي تُعرف اختصاراً بـ PRTR، هي أنظمة لجمع ونشر المعلومات عن الإطلاقات البيئية وعمليات ن...

 

 

Dèmoni 3

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources: Dèmoni 3 – news · newspapers · books · scholar · JSTOR (February 2013) (Learn how and when to remove this template message) 1991 Italian filmNoite Maldita - Demoni 3DVD cover with the alternate title of Black Demons.Directed byUmberto LenziWritten byOlga Pehar...

Habitable zone

Orbits where planets may have liquid surface water Goldilocks Zone redirects here. For the more general principle, see Goldilocks principle. This article is about the circumstellar zone. For the galactic zone, see Galactic habitable zone. A diagram depicting the habitable zone boundaries around stars, and how the boundaries are affected by star type. This plot includes Solar System planets (Venus, Earth, and Mars) as well as especially significant exoplanets such as TRAPPIST-1d, Kepler-186f, ...

 

 

The Titans

Artikel ini tidak memiliki referensi atau sumber tepercaya sehingga isinya tidak bisa dipastikan. Tolong bantu perbaiki artikel ini dengan menambahkan referensi yang layak. Tulisan tanpa sumber dapat dipertanyakan dan dihapus sewaktu-waktu.Cari sumber: The Titans – berita · surat kabar · buku · cendekiawan · JSTOR The TitansAsalBandung, Jawa Barat, IndonesiaGenrePop rockrock alternatifTahun aktif2006–sekarangLabelNagaswaraEMI/ArkaOriginWahana Product...

 

 

العلاقات الألمانية البريطانية

العلاقات الألمانية البريطانية ألمانيا المملكة المتحدة   ألمانيا   المملكة المتحدة تعديل مصدري - تعديل   العلاقات الألمانية البريطانية، أو العلاقات الأنجلو ألمانية، هي العلاقات الثنائية بين ألمانيا والمملكة المتحدة. كانت العلاقات قوية جدًا في أواخر العصور ا�...

خليج عمان

خليج عمانالموقع الجغرافي / الإداريالإحداثيات 25°N 58°E / 25°N 58°E / 25; 58 دول الحوض الإمارات العربية المتحدة — سلطنة عمان — باكستان — إيران هيئة المياهالنوع خليج صغير القياساتعمق 200 م تعديل - تعديل مصدري - تعديل ويكي بيانات 25°N 58°E / 25°N 58°E / 25; 58 بحر عُمان خل...

 

 

جاسك

هذه المقالة بحاجة لصندوق معلومات. فضلًا ساعد في تحسين هذه المقالة بإضافة صندوق معلومات مخصص إليها. يفتقر محتوى هذه المقالة إلى الاستشهاد بمصادر. فضلاً، ساهم في تطوير هذه المقالة من خلال إضافة مصادر موثوق بها. أي معلومات غير موثقة يمكن التشكيك بها وإزالتها. (فبراير 2016) جاسك م...

 

 

Adelaide Nicastro Calcio 1989-1990

Questa voce sull'argomento stagioni delle società calcistiche italiane è solo un abbozzo. Contribuisci a migliorarla secondo le convenzioni di Wikipedia. Segui i suggerimenti del progetto di riferimento. Voce principale: Adelaide Nicastro Calcio. Adelaide Nicastro CalcioStagione 1989-1990 Sport calcio Squadra Adelaide Nicastro Allenatore Antonio La Palma, poi Giovanni Vastola ,poi Antonio La Palma Presidente Vitaliano Corapi Serie C217º nel girone D (retrocesso nel Campionato In...

Odisha Masters

Badminton tournament The Odisha Masters, formerly known as Odisha Open (prior to 2023), is an annual badminton tournament held in India. The tournament is a part of the BWF World Tour tournaments and is leveled in BWF Tour Super 100.[1][2] The inaugural edition was held in 2022 at the Jawaharlal Nehru Indoor Stadium in Cuttack, Odisha.[3][4] Winners Year Men's singles Women's singles Men's doubles Women's doubles Mixed doubles 2022 Kiran George Unnati Hooda Nur...

 

 

俄亥俄州

  「俄亥俄」重定向至此。关于其他用法,请见「俄亥俄 (消歧义)」。 俄亥俄州 美國联邦州State of Ohio 州旗州徽綽號:七葉果之州地图中高亮部分为俄亥俄州坐标:38°27'N-41°58'N, 80°32'W-84°49'W国家 美國加入聯邦1803年3月1日,在1953年8月7日追溯頒定(第17个加入联邦)首府哥倫布(及最大城市)政府 • 州长(英语:List of Governors of {{{Name}}}]]) •&...

 

 

Sheffield Improvement Act 1818

United Kingdom legislationSheffield Improvement Act 1818Act of ParliamentParliament of the United KingdomLong titleAn Act for cleansing, lighting, watching, and otherwise improving the Town of Sheffield, in the County of York.Citation58 Geo. 3. c. livDatesRoyal assent8 May 1818Other legislationRepealed byLocal Government Supplemental (No. 3) Act 1865Status: RepealedText of statute as originally enacted The Sheffield Improvement Act 1818 was a local Act of Parliament passed in 1818, regarding...

Periyar

Indian social activist and advocate of Dravidian movement For other uses, see Periyar (disambiguation). PeriyarPortrait of Periyar on a postage stampPresident of Dravidar KazhagamIn office27 August 1944 – 24 December 1973Preceded byPosition establishedSucceeded byAnnai E. V. R. ManiammaiHead of the Justice PartyIn office1939 – 27 August 1944Inaugural HolderC. Natesa MudaliarPreceded byRamakrishna Ranga Rao of BobbiliSucceeded byP. T. Rajan Personal detailsBorn(1879-09-17...

 

 

Chelsea, Massachusetts

This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages) This article may contain an excessive amount of intricate detail that may interest only a particular audience. Please help by spinning off or relocating any relevant information, and removing excessive detail that may be against Wikipedia's inclusion policy. (April 2024) (Learn how and when to remove this message) This article is written lik...

 

 

Sri Prakasa

Sri Prakasa stamp Sri Prakasa (3 Agustus 1890 – 23 Juni 1971) adalah seorang politikus, pejuang kemerdekaan dan administrator asal India. Ia menjabat sebagai Komisioner Tinggi pertama India untuk Pakistan dari 1947 sampai 1949, Gubernur Assam dari 1949 sampai 1950, Gubernur Madras dari 1952 sampai 1956 dan Gubernur Bombay dari 1956 sampai 1962. Sri Prakasa lahir di Varanasi pada 1890. Pada masa-masa awalnya, ia ikut serta dalam gerakan kemerdekaan India dan ditahan. Setelah ke...

Richard Martin (curator)

American scholar, lecturer, critic, curator, art and fashion historian For other people named Richard Martin, see Richard Martin (disambiguation). Richard Martin in 1996 Richard Martin (1947 – 1999) was an American scholar, lecturer, critic and curator, and a leading art and fashion historian. At the time of his death he was curator of the Costume Institute at the Metropolitan Museum of Art, creating many critically acclaimed exhibitions and contributing widely towards publications on the s...

 

 

Bahamas Cricket Association

Official governing body of cricket in The Bahamas This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources: Bahamas Cricket Association – news · newspapers · books · scholar · JSTOR (August 2016) (Learn how and when to remove this message) Bahamas Cricket Association is the official governing body of the sport of cric...

 

 

Yapp Hung Fai

Hong Kong footballer In this Chinese name, the family name is Yapp (葉). Yapp Hung Fai葉鴻輝 Yapp with Eastern in 2023Personal informationFull name Yapp Hung FaiDate of birth (1990-03-21) 21 March 1990 (age 34)Place of birth Hong KongHeight 1.78 m (5 ft 10 in)[1]Position(s) GoalkeeperTeam informationCurrent team EasternNumber 1Youth career2005–2007 Hong Kong 09Senior career*Years Team Apps (Gls)2007–2008 Workable 13 (0)2008–2009 Eastern 21 (0)2009–2010 ...

Glades culture

Archaeological culture in Florida, USA The Glades culture is an archaeological culture in southernmost Florida that lasted from about 500 BCE until shortly after European contact. Its area included the Everglades, the Florida Keys, the Atlantic coast of Florida north through present-day Martin County and the Gulf coast north to Marco Island in Collier County. It did not include the area around Lake Okeechobee, which was part of the Belle Glade culture. Two, or possibly three, areas at the ext...

 

 

Antonio Di Gaudio

Antonio Di GaudioNazionalità Italia Altezza169 cm Peso63 kg Calcio RuoloCentrocampista, ala Squadra svincolato CarrieraGiovanili 2003-2005 Palermo2005-2007 US Palermo Squadre di club1 2007-2010 Virtus Castelfranco95 (21)2010-2017 Carpi191 (22)[1]2017-2019 Parma48 (5)2019-2020 Verona14 (1)[2]2020→  Spezia8 (1)[3]2020-2021 Verona0 (0)2021 Chievo15 (1)2021-2023 Avellino36 (5)[4] 1 I due numeri indicano le presen...