LastPass tracks mobile users more than any other major password manager, German security researchers say. And these trackers can see much of what you are doing in the LastPass app.

Mike Kuketz wrote on his blog late last week that the current LastPass Android app contains seven trackers.

In contrast, rival password manager Dashlane's Android app has four trackers, Keeper and Bitwarden each have two, and 1Password has zero. Presumably the iOS app has not been investigated.

Most of the seven LastPass trackers are for monitoring performance and crashes, including four very common Google ones. However, at least three trackers (AppsFlyer, MixPanel, and Segment) are designed to send user data to third parties, Kuketz said.

"For apps that process extremely sensitive data (passwords), this is simply reprehensible," the Google translated version of Kuketz's blog post reads." Ads and analytics modules simply have no place in this - integrating them into a password manager app is completely out of the question."

(In the original, something might be wrong, so "Für eine App, die äußerst sensible Daten (Passwörter) verarbeitet, ist das schlichtweg ein Armutszeugnis. In this regard, The software module and the analysis module have nothing to do with each other - it is almost impossible to integrate them into the Passwörter Manager app.")

The Register, which reported this story earlier, contacted LastPass.

"No personally identifiable sensitive user data or vault activity is likely to pass through these trackers. These trackers collect limited statistical data about how you use LastPass to help us improve and optimize our products."

Now, as The Register noted, LastPass has a lot of free users and is set to lose many of them next month due to policy changes.

Kuketz believes that LastPass trackers are sending out too much information regardless, which even LastPass may not know much about. He launched the LastPass app and saw what the tracker sends to his home base.

He said the MixPanel tracker sent the device manufacturer, Android version, model number, device ID, LastPass account type, and whether the LastPass app enabled biometric login and autofill.

AppsFlyer sent most of that, plus the name of the mobile network operator, Android ad ID, and a mysterious user ID, Kuketz said.

While some of this sounds fine, it has been well established by other researchers that android ad IDs can be used to physically track individuals geographically.

Kuketz used the LastPass Android app to create a new account, and the segment tracker would then track the message ID, time zone, country of location, IP address of the device, and what the LastPass app was doing (in this case the " onboarding password"), stating that it sent the information.

In other words, the LastPass app tracker can know where you are, what language you are using, what LastPass account you are using, what you are doing with the app, including adding new passwords and bank account numbers.

While the tracker cannot actually see the passwords or bank account numbers you are entering, it is still spooky to know that it is aware of the fields you are entering data into.

"Extremely sensitive information such as access data, notes, and bank accounts are stored in the password manager," Kuketz wrote, according to Google Translate.

"And the tracker tracks users every step of the way when they use LastPass, even if they don't receive content data."

(German: "Passwort-Managern werden (äußerst)") sensible information, e.g. Zugangsdaten, Notizen, Bankkonten etc. hinterlegt. Users can also check LastPass usage even if the tracker does not maintain user data.")

According to Exodus, none of the other four password managers mentioned above use AppsFlyer, MixPanel, or Segment. However, Dashlane uses two others that appear to track user activity, and Keeper uses one of them; Bitwarden's two trackers appear to be harmless, and as noted earlier, 1Password has no trackers at all.

[Update: Keeper alerted us to this blog post explaining that it has removed one potentially problematic tracker from its Android app; Keeper's Exodus page reflects this.]

Kuketz said there is no way to opt out of this data collection within the app, and we could not find it either. However, a LastPass spokesperson told The Register that there is a way.

"All LastPass users, regardless of browser or device, are given the option to opt-out of these analytics in the LastPass privacy settings in their account: account settings > view advanced settings > privacy."

In the LastPass web browser interface, two lines are checked by default: "Record login and form-fill history" and "Send anonymous error report data to help us improve LastPass."

When clicked, the callout next to each line reads "Keep history of website logins and form entries. If disabled, the vault and extension will be empty of history and recent sites, respectively." and "Anonymous data is aggregated but not shared with third parties."

Kukuk will display the following message.

Kuketz said that based on his findings, LastPass users should switch to another password manager. We disagree with him and recommend LastPass as the best password manager.

Tom's Guide also contacted LastPass.

A LastPass spokesperson responded:

"User privacy and security is LastPass' top priority.

No personally identifiable sensitive user data passes through these trackers. These trackers are used for the limited purpose of collecting statistical data about how LastPass is used to help us improve and optimize our products to provide the best user experience.

We are continually reviewing our existing processes to ensure that your privacy and security are paramount.