Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

LastPass

From Wikipedia, the free encyclopedia
Password management software
icon
This articlerelies excessively onreferences toprimary sources. Please improve this article by addingsecondary or tertiary sources.
Find sources: "LastPass" – news ·newspapers ·books ·scholar ·JSTOR(February 2024) (Learn how and when to remove this message)
LastPass
Company typePrivate
Industry
GenrePassword manager
Founded2008; 18 years ago (2008)
Headquarters125 High Street,,
United States
Key people
Karim Toubba, CEO (2022-Present)
Revenue$200 million (2021)
Owners
Number of employees
800+ (2024)
Websitelastpass.com
Footnotes / references
[1][2]

LastPass is apassword manager application.[3] The standard version of LastPass comes with aweb interface, but also includes abrowser extension, anapp and support forbookmarklets.

Founded in 2008 by four developers,[4][5] Lastpass was acquired byGoTo (formerly LogMeIn Inc.) for $110 million in 2015.[6] LastPass was spun-off from GoTo into a stand-alone business in 2024.[7]

LastPass suffered significantsecurity incidents between 2011 and 2022. Notably, in late 2022, user data, billing information, and vaults (with some fields encrypted and others not)[a][8] were breached, leading many security professionals to call for users to change all their passwords and switch to other password managers.[9]

Overview

[edit]

A user's content in LastPass, includingpasswords and secure notes, is protected by one master password. The content issynchronized to any device the user uses the LastPass software or app extensions on. Information is encrypted withAES-256 encryption withPBKDF2SHA-256,saltedhashes, and the ability to increase password iterations value. Encryption and decryption take place at the device level.[10][11]

LastPass has aform filler that automates password entering and form filling, and it supportspassword generation, site sharing and site logging, and two-factor authentication. LastPass supportstwo-factor authentication via various methods including the LastPass Authenticator app for mobile phones as well as others includingYubiKey.[12]

Unlike some other major password managers, LastPass offers a user-setpassword hint, allowing access when the master password is missing.[13]

History

[edit]

On December 2, 2010, it was announced that LastPass had acquiredXmarks, a web browser extension that enabled password synchronization between browsers. The acquisition meant the survival of Xmarks, which had financial troubles, and although the two services remained separate, the acquisition led to a reduced price for paid premium subscriptions combining the two services.[14][15] On March 30, 2018, the Xmarks service was announced to be shut down on May 1, 2018, according to an email to LastPass users.[16]

On October 9, 2015, GoTo acquired LastPass for $110 million. The company was combined under the LastPass brand with a similar product, Meldium, which had already been acquired by GoTo.[17][18]

On March 16, 2016, LastPass released LastPass Authenticator, a free two-factor authentication app.[19]

On November 2, 2016, LastPass announced that free accounts would now support synchronizing user content to any device, a feature previously exclusive to paid accounts. Earlier, a free account on the service meant it would sync content to only one app.[20][21]

In August 2017, LastPass announced LastPass Families, a family plan for sharing passwords, bank account info, and other sensitive data among family members for a $48 annual subscription. They also doubled the price of the Premium version without adding any new features to it. Instead, some features of the free version were removed.[22]

On December 14, 2021, GoTo announced that LastPass would be established as an independent company.[23] The spin-off was completed in May 2024, with LastPass being directly controlled byFrancisco Partners andElliott Investment Management, theprivate equity firms that took GoTo private in 2020.[7][24]

Reception

[edit]

In March 2009,PC Magazine awarded LastPass five stars, an "Excellent" mark, and their "Editors' Choice" for password management.[25] A new review in 2016 following the release of LastPass 4.0 earned the service again five stars, an "Outstanding" mark, and "Editors' Choice" honor.[26]

In July 2010, LastPass's security model was extensively covered and approved of bySteve Gibson in hisSecurity Now podcast episode 256.[27] He also revisited the subject and how it relates to theNational Security Agency in Security Now podcast episode 421.[28]

In October 2015 when GoTo acquired LastPass, founder Joe Siegrist's blog was filled with user comments voicing criticism of GoTo.[29] Web sites ZDNet, Forbes and Infoworld posted articles mentioning the outcry by existing customers, some of whom said they would refuse to do business with GoTo, and raised other concerns about GoTo's reputation.[30][31][32]

In a 2017Consumer Reports article commented LastPass a popular password manager (alongsideDashlane,KeePass, and1Password), with the choice between them mostly down to personal preference.[13] In March 2019, Lastpass was awarded the Best Product in Identity Management award during the seventh annual Cyber Defense Magazine InfoSec Awards.[33]

In 2017,Stiftung Warentest evaluated nine paid password managers and rated LastPass Premium as one of four recommended products.[34] The test was later updated to include the 2022 LastPass breach.[35]

Security incidents

[edit]

LastPass has faced ongoing scrutiny regarding its security practices and incident response over the years. Several independent analyses and reported breaches have raised concerns about how the company handles user data, mitigates vulnerabilities, and communicates risks to its customers. While LastPass employsindustry-standard encryption to protect stored credentials, past security incidents and research findings have prompted debate over the platform’s overall reliability and its approach to safeguarding sensitive information.[36][37]

2011 security incident

[edit]

In May 2011, LastPass reported detecting unusual network activity that indicated a possible intrusion into its servers. Although the company stated that no evidence of data exfiltration was found, it required all users to reset their master passwords as a precaution. According to LastPass, encrypted user vault data was not compromised.[38][39]

2015 security breach

[edit]

In June 2015, the LastPass team discovered and halted suspicious activity on their network. Their investigation revealed that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised; however, encrypted user vault data was not affected.[40]

2017 Security vulnerabilities in Android App

[edit]

A 2017 analysis by theFraunhofer-Institut für Sichere Informationstechnologie (SIT) identified several security flaws in multiple Android password managers, including LastPass.[41] The issues, which include improperly stored master passwords[42] and Data leakage,[43][44] were reported to the developers and subsequently fixed.[45]

2021 third-party trackers and security incident

[edit]

In 2021, it was discovered that the Android app containedthird-party trackers.[46] At the end of 2021, LastPass warned users that their master passwords were compromised.[47]

2022 customer data and partially-encrypted vault theft

[edit]
This section is an excerpt fromLastPass 2022 data breach.[edit]

TheLastPass 2022 data breach refers to two related security incidents disclosed by the password manager LastPass in 2022. In the first incident, an attacker accessed parts of LastPass's development environment and exfiltrated source code repositories and technical documentation, including an encrypted copy of the key used to protect backups of customer data stored inAmazon S3.

In a second incident, a senior DevOps engineer's personal computer was compromised, and the attacker used a keystroke logger to obtain the employee's credentials and access an internal vault holding further keys. According to the UKInformation Commissioner's Office (ICO), this enabled access to and exfiltration of a backup database and copies of some customers’ password vault data, which included both unencrypted fields (such as some website URLs) and encrypted fields (such as usernames and passwords).

The breach prompted litigation and regulatory scrutiny, including a monetary penalty issued by the ICO in November 2025 against LastPass UK Ltd for failures to implement appropriate technical and organisational measures affecting over one million UK data subjects. The breach led to further incidents because stolen vault backups can be subjected to offline cracking attempts: in 2025 LastPass settled a class action lawsuit in the amount of $24.5 million for losses incurred by customers whose vaults had been accessed.

2024 Leakage via Injection Attacks

[edit]

A 2024 study by Fábrega et al. demonstrated that many popular password managers are vulnerable to injection attacks. LastPass was affected due to its handling of application-wide security metrics, allowing an attacker to inject crafted shared entries and observe externally logged data (such as duplicate-password counts) to determine whether their injected values matched passwords stored in a victim’s vault.[48]

2024 Evaluation of Password Checkup Tools

[edit]

A 2024 study by Hutchinson et al. examined the “password checkup” features of 14 password managers, including LastPass, using weak, breached, and randomly generated passwords. The authors found that the evaluated products reported weak and compromised passwords inconsistently and sometimes incompletely. No manager successfully flagged all known breached passwords. The study concludes that such inconsistencies may give users a false sense of security.[49]

2025 DOM-based Extension Clickjacking

[edit]

Security researcher Marek Tóth presented a vulnerability in browser extensions of several password managers (including LastPass) atDEF CON 33 on August 9, 2025. In their default configurations, these extensions were shown to be exposed to a DOM-based extension clickjacking technique, allowing attackers to exfiltrate user data with just a single click.[50] The affected password manager vendors were notified in April 2025. According to Tóth, LastPass version 4.146.8 (September 12, 2025),[51] which was intended to address the issue, remains vulnerable.[52]

See also

[edit]

Notes

[edit]
  1. ^URL encryption was added in 2024

References

[edit]
  1. ^Chesto, John (April 26, 2022)."LastPass has a new CEO".The Boston Globe. Retrieved23 February 2023.
  2. ^Chesto, John (December 14, 2021)."LastPass to stand alone as LogMeIn owners say they'll spin off the password management company".The Boston Globe. Retrieved23 February 2023.
  3. ^Siegrist, Joe (9 October 2015)."LastPass Joins the LogMeIn Family".blog.lastpass.com.LogMeIn. Archived fromthe original on 9 October 2015. Retrieved8 August 2018.
  4. ^Stross, Randall (June 11, 2011)."Why Encrypted Passwords Make a Difference".The New York Times. RetrievedMay 1, 2024.
  5. ^Orin, Andy (January 16, 2015)."Behind the App: The Story of LastPass".Lifehacker. RetrievedMay 1, 2024.
  6. ^Gagliordi, Natalie (October 9, 2015)."LastPass bought by LogMeIn for $110 million".ZDNET. RetrievedMay 1, 2024.
  7. ^abHale, Craig (May 2, 2024)."LastPass officially splits from former parent GoTo".TechRadar. RetrievedMay 2, 2024.
  8. ^Toulas, Bill (May 22, 2024)."LastPass is now encrypting URLs in password vaults for better security".BleepingComputer. RetrievedMay 30, 2024.
  9. ^Newman, Lily Hay."Yes, It's Time to Ditch LastPass".Wired.ISSN 1059-1028.Archived from the original on 2024-01-23. Retrieved2022-12-30.
  10. ^"The best way to manage passwords".LogMeIn. Retrieved8 August 2018.
  11. ^Hoffman, Chris (9 August 2012)."11 Ways to Make Your LastPass Account Even More Secure".How-To Geek.
  12. ^Eddy, Max (30 March 2016)."LastPass Authenticator (for iPhone)".PCMag.Ziff Davis.
  13. ^abChaikivsky, Andrew (7 February 2017)."Everything You Need to Know About Password Managers".Consumer Reports.
  14. ^Gott, Amber (2 December 2010)."LastPass Acquires Xmarks!".blog.lastpass.com.LogMeIn.
  15. ^Purdy, Kevin (2 December 2010)."LastPass Acquires Xmarks, Keeping Free Bookmark-Syncing Plans Available".Lifehacker.Gizmodo Media Group.
  16. ^Brinkmann, Martin (1 April 2018)."LogMeIn to shut down Xmarks on May 1, 2018".Ghacks.Archived from the original on 1 April 2018.
  17. ^Brodkin, Jon (9 October 2015)."LogMeIn buys LastPass password manager for $110 million".Ars Technica.Condé Nast.
  18. ^Perez, Sarah (9 October 2015)."LogMeIn Acquires Password Management Software LastPass For $110 Million".TechCrunch.Oath Tech Network.
  19. ^Whitwam, Ryan (16 March 2016)."LastPass Releases Its Own 2-Factor Mobile Authenticator App".AndroidPolice. Illogical Robot.
  20. ^Siegriest, Joe (2 November 2016)."Get LastPass Everywhere: Multi-Device Access Is Now Free!".blog.lastpass.com.LogMeIn.
  21. ^Kastrenakes, Jacob (2 November 2016)."There's now one less excuse not to use a password manager".The Verge.Vox Media.
  22. ^Maring, Joe (3 August 2017)."LastPass announces pricing for 'Families' plan; doubles cost of Premium option".9to5Google.
  23. ^"LogMeIn Set to Establish LastPass as an Independent Cloud Security Company Amid Strong Market Demand". LogMeIn. 14 December 2021. Retrieved11 October 2022.
  24. ^Chesto, Jon (May 2, 2024)."LastPass completes spinoff from GoTo".The Boston Globe.
  25. ^Rubenking, Neil (20 March 2009)."LastPass 1.50 Review".PCMag.Ziff Davis. Archived from the original on 24 March 2009.
  26. ^Rubenking, Neil (November 2, 2016)."LastPass 4.0 Review".PC Magazine. RetrievedNovember 2, 2016.
  27. ^Gibson, Steve; Laporte, Leo (10 June 2010)."Security Now 256: LastPass Security".TWiT.tv.
  28. ^Gibson, Steve; Laporte, Leo (11 September 2013)."Security Now 421: The Perfect Accusation".TWiT.tv.
  29. ^Brodkin, Jon (9 October 2015)."LogMeIn buys LastPass password manager for $110 million".Ars Technica.Condé Nast.[verification needed]
  30. ^Gagliordi, Natalie (2015-10-09)."LastPass bought by LogMeIn for $110 million; ... outcry from LastPass users, some of whom say they refuse to do business with LogMeIn".ZDNet. Retrieved2019-06-12.[verification needed]
  31. ^"LastPass Joins LogMeIn, But Not Everyone Is Thrilled About It".Forbes. 2015-10-09. Retrieved2019-06-12.[verification needed]
  32. ^"LogMeIn acquires LastPass to beef up identity portfolio".InfoWorld. 2015-10-09. Retrieved2019-06-12.[verification needed]
  33. ^Shah, Megha (20 March 2019)."LastPass by LogMeIn Awarded 2019 InfoSec Recognition".Tech Funnel.
  34. ^"Stiftung Warentest testet Passwort-Manager: Vier empfehlenswert".DER STANDARD (in Austrian German). Retrieved2025-11-22.
  35. ^Warentest, Stiftung (2022-06-22)."Passwort-Manager im Test".www.test.de (in German). Retrieved2025-11-22.
  36. ^"The LastPass Data Breach (Event Timeline And Key Lessons) | UpGuard".www.upguard.com. Retrieved2025-12-05.
  37. ^"What Did the LastPass Breach Reveal About Password Manager Security?".SecurityScorecard. Retrieved2025-12-05.
  38. ^"LastPass Security Notification".LastPass Blog. May 4, 2011. Retrieved2025-12-05.
  39. ^Fried, Ina (May 5, 2011)."LastPass urges users to change master passwords".CNET. Retrieved2025-12-05.
  40. ^Goodin, Dan (June 15, 2015)."Hack of cloud-based LastPass exposes hashed master passwords".Ars Technica.Condé Nast.
  41. ^"Passwort-Manager unter Android mit gravierenden Defiziten".DER STANDARD (in Austrian German). Retrieved2025-11-22.
  42. ^"SIK-2016-022".TeamSIK (in German). Retrieved2025-11-22.
  43. ^"SIK-2016-023".TeamSIK (in German). Retrieved2025-11-22.
  44. ^"SIK-2016-024".TeamSIK (in German). Retrieved2025-11-22.
  45. ^"Password-Manager Apps".TeamSIK (in German). Retrieved2025-11-22.
  46. ^Anderson, Tim (25 February 2021)."1Password has none, KeePass has none... So why are there seven embedded trackers in the LastPass Android app?".The Register. Retrieved31 August 2023.
  47. ^Gatlan, Sergiu."LastPass users warned their master passwords are compromised".Bleeping Computer. Retrieved28 December 2021.
  48. ^Fábrega, Andrés; Namavari, Armin; Agarwal, Rachit; Nassi, Ben; Ristenpart, Thomas (2024). "Exploiting Leakage in Password Managers via Injection Attacks".arXiv:2408.07054v1 [cs.CR].
  49. ^Hutchinson, Adryana; Munyendo, Collins W.; Aviv, Adam J; Mayer, Peter (2024-05-11). "An Analysis of Password Managers' Password Checkup Tools".Extended Abstracts of the CHI Conference on Human Factors in Computing Systems. CHI EA '24. New York, NY, USA: Association for Computing Machinery. pp. 1–7.doi:10.1145/3613905.3650741.ISBN 979-8-4007-0331-7.
  50. ^Benedict Collins (2025-08-22)."Multiple top password managers vulnerable to password stealing clickjacking attacks - here's what we know".TechRadar. Retrieved2025-11-09.
  51. ^"LastPass - Release Notes".lastpass.com. Retrieved2025-11-09.
  52. ^Tóth, Marek (2025-08-09)."DOM-based Extension Clickjacking: Your Password Manager Data at Risk".marektoth.com. Retrieved2025-11-09.

External links

[edit]
Proprietary
Open source
Discontinued
Retrieved from "https://en.wikipedia.org/w/index.php?title=LastPass&oldid=1338170993"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2026 Movatter.jp