A security researcher is advising people to stay away from LastPass password manager after pointing out seven trackers found in the Android app. However, there is no proof that the trackers, which were analyzed by researcher Mike Kuketz, are transferring a user’s passwords or usernames, Kuketz claims their presence is bad practice for a security-critical app handling such sensitive information.
In response to that, , a spokesperson from LastPass says the company gathers limited data “about how LastPass is used” to help it “improve and optimize the product.” Importantly, LastPass tells The Register that “no sensitive personally identifiable user data or vault activity could be passed through these trackers,” and users can decide to leave the analytics in the Privacy section of the Advanced Settings menu.
After doing analysis, Kuketz realized that data is being transmitted and found it contained information about the smartphone’s make and model, and also biometric security if he/she has any enabled.
“If you actually use LastPass, I recommend changing the password manager,” wrote Kuketz (via machine translation). “There are solutions that do not permanently send data to third parties and record user behavior.”
LastPass isn’t the only password manager to include trackers like this, but it appears to have more than many popular competitors.