Although there is no indication that the tracking tools analyzed by the researcher (Mike Kukitz) Mike KuketzConveying actual passwords or usernames, Koketz says: Having these tools is a bad practice for a critical security application that handles this sensitive information.
Responding to the report, a LastPass spokesperson said: The company is gathering limited data on how the app is used to help it improve the product.
The spokesperson added: No personally identifiable sensitive user data or stored activity can be passed through these trackers, and users can opt out of analytics in the privacy section in the advanced settings menu.
It includes four LastPass trackers from Google, which deals with analytics and crash reporting, as well as a tracker from a company called Segment, which is said to be collecting data for marketing teams.
Kuketz analyzed the data being sent and found that it includes information about the smartphone’s manufacturer and model, as well as information about whether or not the user has activated the biometric security feature.
And even if the data sent cannot be personally identified, the mere integration of the third-party code introduces the potential for vulnerabilities, according to the security researcher.
“If you use LastPass, I recommend changing the password manager, and there are solutions that do not permanently send data to third parties and do not log user behavior,” he wrote.
LastPass isn’t the only password manager with trackers like this one, but it appears to have a larger amount than many of its popular competitors.
And the free alternative to Bitwarden contains only trackers, so According For the Exodus Android privacy audit platform, While possessing RoboForm And the Dashlane Four, and does not contain 1Password For anything.
The report comes on the heels of LastPass announcing its intention to severely reduce jobs in the free plan, with changes to take effect on March 16th.
While free plan users can currently store an unlimited number of passwords across devices without restrictions, they will soon have to choose one category of devices to view and manage passwords, either via a mobile phone or computer, unless they want to pay for the service.