Using a password manager is a key part of good digital hygiene. Today’s online ecosystem requires that you create and remember hundreds or even thousands of passwords for your online accounts. It’s impossible to remember that many passwords, and it’s a terrible idea to reuse your password between multiple websites. If you do that, you run the risk of an attacker gaining access to one set of credentials, compromising many of your accounts.For this reason, security experts recommend using a password manager to generate and save randomized passwords. One of the most popular of these password managers is LastPass. But if you’re trusting LastPass with all of your most sensitive digital information, that raises a critical question: is LastPass secure? In this post, we’re going to evaluate the security of LastPass so you can make an informed decision.What Is LastPass?LastPass is an integrated password manager. The company that develops the LastPass application was founded in 2008 and then acquired by GoTo in 2015, then spun back off into their own company in 2024. The pitch for LastPass is simple: it integrates with your browsers and mobile devices to make creating, saving, and retrieving passwords trivial. The wide variety of supported platforms and deep level of system integration make adopting LastPass easy and effective. But as a tool that stores your most important digital information, you need it to be secure. If it’s not, it simply moves all your valuables into a convenient location for attackers.Is LastPass Secure?To answer the question of whether LastPass is secure, we’re going to look at things from a couple of different angles. First, we’ll look into the security of their browser extensions, which integrate into tools like Firefox and Chrome. And then we’ll take a look at their underlying company security to determine if their central servers are safely storing customer data.Browser Extension AnalysisIn order to examine the LastPass browser extension, we’re going to take a look using SpinOne, the application and browser extension risk evaluation tool. SpinOne maintains risk information and active risk analysis for most common third-party software tools. You can search any app or plugin using their free risk assessment tool. For this particular instance, we’ve already run the analysis on LastPass. It turns out that the question of whether or not LastPass is secure is a common one that customers ask. Let’s walk through the different security concerns around browser extensions and evaluate how LastPass rates.Versioning ConcernsOne key concern with browser extensions is versioning. When most users install a browser extension, they enable automatic updates. That means if there’s ever a situation where a developer ships a bugged or compromised version of the software, which happens often, users are pretty much universally in trouble. This is especially true in the event where a malicious user is able to upload a malicious version of the extension.The 2025 Cyberhaven Attack is a great example of how this can happen to any third-party extension, including cybersecurity tools. A developer was compromised in a phishing campaign, which made him the attack vector for an attack that led to the release of numerous extensions that ultimately put 3.7 million users at risk. SpinLabs researchers discovered 8 of those compromised extensions.Evaluate Each VersionIn particularly sensitive environments, the best option is to evaluate each version of the software as the developer releases it. If you’re a personal user, this is often not feasible, but you can build a useful proxy out of checking whether the application is frequently updated by a reputable developer. In this case, LastPass is a reputable developer, and they regularly ship functionality and security updates. This helps them circumvent common security vulnerabilities. For most users and companies, LastPass’s browser extension will have a secure version that you can leverage.Data Collection and Sharing ConcernsAnother major concern with browser extensions is what kind of data that they collect. An extension that collects (and thus either saves or transmits) more data from your browser exposes you to greater risk than one that collects no data at all. When it comes to password managers, there isn’t any way around it: they have to collect a bunch of sensitive data. It’s likely that you’ll use LastPass to store information like your usernames, passwords, credit card numbers, and address. That’s highly valuable digital data. There’s no way around this behavior for a password manager. You simply need to hope that LastPass keeps your data safe. We’ll cover that further in the next section.When it comes to data sharing, one thing to look for is whether or not the extension is talking to external URLs on the back end. You’ll need a specialized risk assessment to find out, but in some cases, apps may be leveraging LLMs on the back end without users’ knowledge. That would certainly qualify as risky. In other cases, they may be talking to known malicious or risky URLs, which could be the start of a future data exfiltration attack. In the case of LastPass, everything looks okay for current versions as of the date of this article, but it’s always important to research future versions before rolling out any updates.Permission ConcernsAnother core consideration for browser extensions is what kind of permissions they request. An extension that can read all of the information on every webpage is different from one that can only read information from one webpage. Chrome provides a broad set of permissions that browser extensions may request, and users are prompted to approve those permissions, either on extension installation or when an update changes the permission request.How does LastPass rank? Well, mostly pretty well. LastPass does require the ability to read and write information on any webpage, but that’s a necessary permission requirement because it needs that ability to input your username and password into the appropriate form fields when you sign in. Beyond that, though, LastPass requests minimal additional permissions. This is good application design; LastPass requests only the permissions needed to do its job and no more.Compliance ConcernsA core question surrounding browser extensions is how well that extension fits within your compliance regime. A reputable developer will publish audits to confirm their own adherence to legal and technical standards, which at least gives you the assurance that their environment is audited regularly. LastPass is particularly good in this department, publishing a laundry list of acronyms that they comply with, including:SOC2GDPRHIPAAISO27001While these certifications don’t ensure that an extension is secure, it’s an important link in the chain. If you’re an individual user, this might not be the most important bullet point for you, but it’s key for enterprise customers.LastPass Platform AnalysisBecause LastPass works across all of your laptops, desktops, and mobile devices, there’s another core aspect to their infrastructure: their shared platform. This is where LastPass sometimes falls short. In reality, the LastPass platform has experienced substantial compromises that should give you serious pause about adopting the platform for your personal or enterprise use.Data BreachesLastPass has undergone a number of data breaches between 2011 and 2022. The most serious were in 2022, when an attacker gained access to their system in August, pulling down unencrypted user account information. They later clarified that this unencrypted information was purely from their non-production environment and did not contain public customer account information. However, despite ending that attack, attackers were able to use a different method to re-infiltrate the LastPass network in November. The attackers were able to download encrypted vault information for customers, as well as unencrypted metadata like which websites customers visit, email addresses, physical addresses, and IP addresses. In some instances, the attacker was also able to exfiltrate encryption keys needed to decrypt this data.This level of data breach is entirely unacceptable from a password manager. On a personal note, this data breach led me to personally cancel my LastPass subscription as I could no longer trust their security.Alternative Password Management OptionsIf you’re interested in adopting a password manager but the previous section scared you off LastPass, you might consider alternatives like 1Password or Bitwarden. The key takeaway should be that you still need a password manager but you want to find one that meets your security needs instead of making you more exposed. SpinSPM Is Your Tool To Evaluate All Browser AddonsToday, we were talking about LastPass, but this kind of work applies to any browser addon that you might want to adopt. If you’re not sure about a browser extension, give it a search on Spin.AI’s Free Risk Assessment Tool. That will walk you through the security concerns we covered in this post, allowing you to evaluate the extension for your own needs. Share this article Share this post on Linkedin Share this post on X Share this post on Facebook Share this post on Reddit Was this helpful? Yes No Submit Cancel Thanks for your feedback!