Keeping track of all the passwords we use daily to access our online accounts and services can be difficult which is why password managers such as LastPass are becoming increasingly popular among both businesses and consumers.
However, a German security researcher named Mike Kuketz is now advising users to avoid using LastPass’ Android app due to the fact that it contains seven embedded trackers. While the company says that users can opt out of these trackers, their very existence could induce risks to such a security-critical application.
According to a new report from the non-profit organization Exodus, of the trackers found in the LastPass Android app, four are from Google for analytics and crash reporting while the others are from AppsFlyer, MixPanel and Segment. Segment is particularly concerning because the company gathers data for marketing teams to profile users and connect their activity across different platforms to serve targeted ads.
In his investigation, Kuketz also looked into what data is transmitted by LastPass’ Android app by inspecting the network traffic to discover that it sends details about the device being used, the mobile operator, the type of LastPass account and the Google Advertising ID which is able to connect data about a user across different apps.
Tracking in password managers
LastPass wasn’t the only password manager examined in Exodus’ report and the firm found that 1Password and KeePass contain no trackers while the open source Bitwarden has one for Google Firebase analytical and one for Microsoft Visual Studio crash reporting and Dashlane has four trackers.
Password managers are the simplest and most efficient way for people to avoid reusing the same password across multiple sites and services since many contain password generators which can create strong, complex and unique passwords with the tap of a button.
In a statement to The Register, a spokesperson from LastPass explained that the company uses trackers to improve its own service and that no identifiable user data could be passed on through them, saying:
“No sensitive personally identifiable user data or vault activity could be passed through these trackers. These trackers collect limited aggregated statistical data about how you use LastPass which is used to help us improve and optimize the product. All LastPass users, regardless of browser or device, are given the option to opt-out of these analytics in their LastPass Privacy Settings, located in their account here: Account Settings > Show Advanced Settings > Privacy. We are continuously reviewing our existing processes and working to make them better to comply, and exceed, the requirements of current applicable data protection standards.”
Regardless of whether you choose LastPass or a different password manager, investing in such a service can be an excellent way to improve your security posture and avoid falling victim to identity theft.
Via The Register