Depending on who you ask, a password manager is probably the last thing you want breached. Others may be more inclined to keep their physical valuables safe, but digital accounts hold personal and financial information you really don’t want in the wrong hands. Ever. So when it became clear that LastPass had a potential vulnerability related to trackers in the app, people were quick to find an easy-to-implement patch.
A few weeks ago, LastPass announced some changes to its free tier that now limits users to only one platform — either mobile or desktop. The bad news didn’t end there, apparently, because it looks like the platform is home to at least seven trackers by default.
Who’s tracking what?
Okay, so what are trackers and why is this a bit of an issue? Trackers are used to send data from one site to some other server. For example, a Facebook tracker on an advert will send the person who views its data back to Facebook’s server so they know person X in SA saw the ad — so they can serve more ads of that type to you.
Long story short, Lastpass has a bunch of trackers embedded in its site. A German researcher called Mike Kuketz picked this up upon analysis of the LastPass app, after which he opted to do an in-depth check. He found that four of these trackers are from Google and are used for analytics and crash reporting. The remaining three originate from AppsFlyer, MixPanel and Segment — all used for marketing across platforms.
LastPass has commented on the inclusion of these trackers, saying no usernames or passwords travel through the trackers to outside servers. Phew! Our information is safe! If you’re still not convinced, however, there’s a way to bypass all of these trackers in LastPass.
How to avoid the LastPass leeches
You’ll have to head to your desktop for this part. Open the LastPass vault using a web browser, head to Account Settings and hit ‘Show Advanced Settings’. Scroll down to the privacy section and deselect ‘Help improve LastPass’. That’s the bugger that’s sending data to other servers without your permission.
All you have to do now is hit the ‘Update’ button and enter your master password so the new settings are cemented in history as the day you chose to secure your password manager.
Before you ask, this is actually a fairly common feature across password managers. There’s not much reason to ditch LastPass just because of the pesky trackers. Besides, learning to properly manage your data within apps is one of the best things you can do for your online health.