LastPass in privacy hot seat over web trackers

A security researcher recommends dropping LastPass after a privacy advocacy app discovered seven web trackers in the password manager.

Rae Hodge Former senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
Rae Hodge
2 min read

LastPass' slate of web trackers is in the spotlight after a security researcher recommended switching away from the password manager based on the findings of a well-known privacy advocacy app. The analysis follows LastPass' recently announced restrictions to its free-tier service, which will become effective in March. 

The Exodus Privacy app, developed by the Guardian Project to document the number of trackers and permissions other apps use, discovered seven web trackers in the Android version of LastPass. Highlighting the findings in an analysis published Thursday, German security researcher Mike Kuketz recommended users move away from the password manager in favor of one without trackers. 

Read more: Best password manager to use for 2021: 1Password, LastPass and more compared

The web trackers on LastPass include those from Google Analytics, AppsFlyer and Mixpanel. While LastPass' password encryption normally protects your passwords from being viewed by any tracker or site, these trackers let third-party companies collect a startlingly complete record of the sites you visit. 

"These trackers are industry standard mobile analytics tools and are used for a limited purpose -- to collect aggregated statistical data about how LastPass is used to help us improve and optimize the product to deliver the best user experience," LastPass said in a public statement. 

The company also said it is continuously reviewing its processes to prioritize customer privacy and security. In his analysis, however, Kuketz said he was unable to opt out of sharing data with LastPass' trackers.

By comparison, Exodus Privacy found LastPass competitors 1Password and KeePass have no trackers. 

Watch this: In a world of bad passwords, a security key could be your new best friend