LastPass revealed that hackers stole customer vault data during an August 2022 incident. During the breach, the threat actor was able to copy a backup of customer vault data.
According to Ars Technica, LastPass vault secrets (logins and passwords) are encrypted, however, website URLs and other metadata are not encrypted. As a result, some stolen information could be used as targeted attacks against users. Information obtained from a source code leak and a Twilio data breach provided the attackers with information to break into the cloud infrastructure, which stored customer data.
In contrast, Keeper adheres to the following:
1. Keeper encrypts all vault data, including URLs and metadata, locally on the user’s device. Keeper’s cloud does not receive, store or process any plaintext vault information.
2. Keeper does not store secrets such as cloud infrastructure access keys in its source code. We regularly scan source code for secret information.
3. Keeper’s source code, while privately held in Github Enterprise, does not provide information required to access a user’s vault. The encryption of data occurs at the local device level, and much of this source code is published in our public Github repo as part of Keeper’s Commander and Secrets Manager products.
4. Keeper does not use 3rd party providers such as Twilio for 2FA. Keeper’s vendors have not been subject to any data breaches.
5. Keeper does not provide any 3rd parties with management or access to any of our AWS data centers. All management of infrastructure is performed by full-time employees of Keeper Security who are additionally US Citizens located in the US.
Here are a few resources if you have any questions about Keeper vs. LastPass: