DevSecOps-Security-Privacy History

LastPass Password Manager – 2008 AD

Return to Timeline of the History of Computers

LastPass logo.svg

LastPass is a freemiumpassword manager that stores encrypted passwords online. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones.[1] It also includes support for bookmarklets.[3]LogMeIn, Inc. acquired LastPass in October 2015.[4]

Original author(s)Marvasol, Inc. (dba LastPass)
Initial releaseAugust 22, 2008
PlatformFirefoxGoogle ChromeInternet Explorer 11SafariOperaAndroid 5.0 and later, iOS 11 and later, Windows 7 and later, macOSUWPx86 and AMD64 LinuxMaxthon[1]
Available inEnglish and 6 other languages[2]
TypePassword manager


A user’s content in LastPass, including passwords and secure notes, is protected by one master password. The content is synchronized to any device the user uses the LastPass software or app extensions on. Information is encrypted with AES-256 encryption with PBKDF2 SHA-256salted hashes, and the ability to increase password iterations value. Encryption and decryption takes place at the device level.[1][5]

LastPass has a form filler that automates password entering and form filling, and it supports password generation, site sharing and site logging, and two-factor authentication. LastPass supports two-factor authentication via various methods including the LastPass Authenticator app for mobile phones as well as others including YubiKey.[6] LastPass is available as an extension to many web browsers, including Google Chrome, Mozilla Firefox, Apple SafariMicrosoft EdgeVivaldi, and Opera. It also has apps available for smartphones running the AndroidiOS, or Windows Phone operating systems. The apps have offline functionality.[1]

Unlike some other major password managers, LastPass offers a user-set password hint, allowing access when the master password is missing.[7]

Security issues

2011 security incident

On Tuesday, May 3, 2011, LastPass discovered an anomaly in their incoming network traffic, then a similar anomaly in their outgoing traffic. Administrators found none of the hallmarks of a classic security breach (for example, a non-administrator user being elevated to administrator privileges), but neither could they determine the anomalies’ cause. Furthermore, given the size of the anomalies, it was theoretically possible that data such as email addresses, the server salt, and the salted password hashes were copied from the LastPass database. To address the situation, LastPass took the “breached” servers offline so they could be rebuilt and, on May 4, 2011, requested all users change their master passwords. They said that while there was no direct evidence that any customer information was compromised, they preferred to err on the side of caution. However, the resulting user traffic overwhelmed the login servers, and company administrators—considering the possibility that existing passwords had been compromised was trivially small—asked users to delay changing their passwords until further notice.[28][29]

2015 security breach

On Monday, June 15, 2015, LastPass posted a blog post indicating that the LastPass team had discovered and halted suspicious activity on their network the previous Friday. Their investigation revealed that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised; however, encrypted user vault data had not been affected. The company blog said, “We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.”[30][31]

2016 security incidents

In July 2016, a blog post published by independent online security firm Detectify detailed a method for reading plaintext passwords for arbitrary domains from a LastPass user’s vault when that user visited a malicious web site. This vulnerability was made possible by poorly written URL parsing code in the LastPass extension. The flaw was not disclosed publicly by Detectify until LastPass was notified privately and able to fix their browser extension.[32] LastPass responded to the public disclosure by Detectify in a post on their own blog, in which they revealed knowledge of an additional vulnerability, discovered by a member of the Google Security Team, and already fixed by LastPass.[33]

2017 security incidents

On March 20, Tavis Ormandy discovered a vulnerability in the LastPass Chrome extension. The exploit applied to all LastPass clients, including Chrome, Firefox and Edge. These vulnerabilities were disabled on March 21, and patched on March 22.[34]

On March 25, Ormandy discovered an additional security flaw allowing remote code execution based on the user navigating to a malicious website. This vulnerability was also patched.[35][36]

2019 security incidents

On Friday, August 30, 2019, Tavis Ormandy reported a vulnerability in the LastPass browser extension in which Web sites with malicious JavaScript code could obtain a username and password inserted by the password manager on the previously visited site.[37][38] By September 13, 2019, Lastpass publicly announced the vulnerability, acknowledging the issue was limited to the Google Chrome and Opera extensions only; nonetheless, all platforms received the vulnerability patch.[39] [40]

Fair Use Sources: B07C2NQSPV