How the Mighty Have Faceplanted (Premium)

In the 1990s, Microsoft destroyed many once-great companies. But these days, they’re just committing suicide.

Case in point: LastPass, a once trusted security company that was acquired by GoTo (formerly LogMeIn, another once trusted company) in 2015 before suffering from several significant security incidents over the next several years, causing GoTo to wipe its hands clean of the tarnished brand by spinning it off earlier this year.

The central mission of LastPass has never changed: Now, as at its inception in 2008, the company offers a password manager via an online service, browser extensions, and apps so that you can store your passwords in a single place and access them anywhere. It’s a solid idea, and for many years, LastPass was highly recommended by many for its ubiquity and ease of use. Like many of you, I bet, I was a LastPass user for many years.

By the time I started Thurrott.com in early 2015, LastPass was well understood, but like Evernote in note-taking apps, the competition had improved. And while browser makers had likewise improved their built-in password management capabilities, the dominance of Apple and Google on mobile, and Microsoft on the desktop, further sidelined this company: These companies own the platforms and the default browsers that run on them.

But the biggest issues LastPass faced came from within: The firm had always been a target for hackers because of the data it stores, and in 2015, it suffered from a major security breach in which hackers stole its customers’ email addresses, password reminders, server per user salts, and authentication hashes. My response to this is regrettable: Trusting the company, I wrote an article reminded readers to use 2FA authentication with LastPass to eliminate the key complaint about any password manager, that it is a single point of failure. (I had previously—and since—written about the importance of safeguarding your online accounts with 2FA more generally.)

The following year, LastPass came to Windows Phone, so I made it an app pick. And then it came to the then-new Microsoft Edge browser, which had launched in 2015 in Windows 10 without extension support. But with competition increasing, LastPass was feeling the pinch. It freed some capabilities from its paid Premium subscription to drive usage in late 2016. And then it sadly succumbed to a further series of attacks, starting in 2017. Regrettably, again, I was still defending the company at that time.

But with bigger hacks that impacted more meaningful user data, including master passwords and even passwords vaults throughout 2021 and 2022, LastPass was no longer defendable. There was a class action lawsuit and, from what I can see now, an almost-unreported incident in 2023 in which 150 victims of a cryptocurrency scam were all LastPass users. GoTo, as noted, flushed LastPass away earlier this year, understandably.

I quietly gave up on this company years ago, and I’ve spent the past two years using and experimenting with other passwords managers, including Bitwarden, 1Password, Dashlane, and now Proton Pass. But in January 2024, I discovered just how out of touch LastPass had become when it announced that, instead of going fully passwordless to better secure its customers, LastPass was taking the nonsensical step of actually requiring them to use longer master passwords. This was a bridge too far.

“That’s ridiculous,” I wrote of the change. “The Achilles Heel of all password managers is that they still rely on users having a master password to protect their personal data. Here we are in 2024, configuring as many accounts as possible to be passwordless with technologies like two-step verification and passkeys, and yet somehow the vaults that store our account passwords, credit card numbers, and other important data still use … a password? This makes no sense to me: Password managers should support and require the same two-step verification techniques that we use to protect our other online accounts, and they should give us the option to go completely passwordless by not even using a master password in the first place. Which is easily hacked no matter the length.”

Anyway, I’d moved on. And I don’t think I would have really thought about LastPass at all again had not a curious email arrived in my inbox about two weeks ago from Cloudflare, the service we use to protect Thurrott.com from denial of service (DoS) and other electronic attacks. Cloudflare told me it had received a DMCA copyright infringement complaint about my site.

Huh.

Kiran Singh of PhishLabs Security, representing LastPass, had informed Cloudflare in grammatically incorrect English that an article on my site, from 2016, was infringing on the client’s (LastPass) mark and demanding that I remove a hyperlink to the LastPass app on the Apple App Store. “This Mobile Store is offering direct downloads or redirect downloads of our client’s official application(s), without explicit authorized permission from our client, and may present a security risk,” she claimed.

I ignored this for all the obvious reasons. That link, which was valid and still worked, sat next to similar links for the Android and Windows Phone versions of LastPass. In an article in which I recommended that readers use LastPass. From 8 years ago.

One day later, I received a similar email from Cloudways, the company that hosts our images. This time, I replied. I told them there was no infringement after reviewing the page again. Cloudways closed the incident report, and it was “pleased to inform [me] that the reported issue has been considered resolved by the cloud provider.”

But Cloudways wasn’t done. Neither was Cloudflare. Over the next several days, I received further complaints from both. I explained my case to both. I was told the issue was resolved, by both. I received further complaints, from both. It kind of just kept happening.

I want to be clear about this. I don’t trust LastPass, but I also didn’t see any reason to remove an innocuous—no, useful and usable—link. Why didn’t they complain about the now-dead Windows Phone link?

After several go-rounds with each company, I finally updated the article, expressing my frustration in that article, as here, adding commentary that “LastPass is terrible,” and “you can no longer trust this company with your data.” Comments I would never have considered including had this company not harassed with repeatedly with a spurious charge. Why hadn’t they simply reached out to me directly?

It doesn’t matter. I will be writing more about passwords managers soon. LastPass will not be part of that discussion. Because LastPass is terrible. And you cannot trust this company.