The Proton Blog

We took a dive into the Dropbox privacy policy — it’s not good

Fergus O'Sullivan — Fri, 09 Feb 2024 13:28:53 GMT

Dropbox was the first mainstream cloud storage provider, and still the biggest player on the market, with 700 million users in 2022. We took a dive into Dropbox’s privacy policy to see how well the company protects the personal data of those millions of people.

Turns out, there are some serious issues. Not only does Dropbox collect a lot of information about you, it can also share it with whomever it wants, including commercial partners and law enforcement. Being a Dropbox customer means giving the company a large measure of control over your data.

This article breaks down the Dropbox privacy policy and explains how our private Dropbox alternative, Proton Drive, differs in fundamental ways.

Taking a look at Dropbox privacy
A private Dropbox alternative

Taking a look at Dropbox privacy

Dropbox’s privacy policy is effectively split into two sections: the first part describing the data the service collects and a subsequent section listing all the entities Dropbox might share your data with. To its credit, Dropbox lays out all these terms clearly in a way anyone can understand. There’s also an FAQ page that goes into a bit more depth on certain topics.

What data Dropbox collects

The first thing you notice in the privacy policy is how much information Dropbox collects. Besides your email address — a core part of your online identity — Dropbox also collects your name, phone number, physical address, and your payment information.

Dropbox also collects and stores data associated with the files you upload, referred to as “Your Stuff.” This includes the size of the file, when and from where it was uploaded, with whom it was shared — Dropbox also collects data about your contact list — and any activity in the files.

In fact, file activity gets its own subsection in the privacy policy, and it’s clear why. Dropbox seems to keep a record of practically anything you could do with a file. Creating, editing, sharing, etc. — it all gets logged somewhere for Dropbox’s use.

Finally, Dropbox also gathers a lot of information about the devices you use to access the service, as well as your IP address, a unique identifier that can help determine your physical location. While this can have a legitimate purpose, like troubleshooting, it seems odd that Dropbox preemptively collects this.

There’s more, but these seem to be the main data points that Dropbox seems to gather on its customers. What does the company do with this treasure trove, though?

What does Dropbox do with all that data?

Dropbox states it does not sell your data to advertisers or third parties.

However, that doesn’t mean that it doesn’t share it.

What’s most surprising is the number and kinds of third parties on the receiving end of your data. They include companies with extremely poor track records when it comes to privacy, including Google, Amazon, and OpenAI.

Some of these make sense in the context that Dropbox provides, like support portal ZenDesk, or payment provider Stripe, or even Amazon Web Services, which likely hosts Dropbox’s servers. However, there are also some that should make anybody think twice, like Google, a company that sells data as a business model.

Other less well-known companies include Kissmetrics, which analyzes data for advertisers, and OpenAI, the company that developed ChatGPT, known for cutting corners when it comes to users’ privacy.

That’s not all of it, either. As a business headquartered in the United States, Dropbox has to comply with US search warrants and other orders, which may be secretive and are often easy to get. This means your data could be seized on even flimsy pretexts. As a result, Dropbox gets a lot of requests from law enforcement.

However, it gets worse: Dropbox also makes explicit that it’s more than happy to share data with the authorities on its own judgment. Where all cloud services are forced to cooperate with law enforcement when a warrant is served, Dropbox makes it very clear that it will volunteer information. No wonder Edward Snowden called it a “wannabe PRISM partner.”

What it means for consumers

Dropbox doesn’t advertise as a privacy service, but even with that in mind it’s shocking how much data it collects and with whom it shares it. It pretty much knows everything it’s possible for them to know about you, and is more than happy to share it with marketers — its own, as well as third parties.

Worse yet, it also makes clear it will share data with police in the “public interest,” a term so vague it can be used to justify any kind of situation. All we know for sure is that privacy isn’t a matter of public interest according to Dropbox.

What makes it worse is that to harvest all this data it has made its users less secure. To see what users are doing on your platform, you must be able to decrypt their files. In other words, Dropbox does not use end-to-end encryption, the most secure form of data protection. This weak focus on security has led to a long string of Dropbox security incidents.

Even if you’re fine with Dropbox knowing about your private data (and why would you be?), the fact that this practice also makes it unsafe should give you pause.

A private Dropbox alternative

We developed Proton Drive to give our community a secure cloud storage service that takes your privacy seriously. Unlike with Dropbox, your privacy isn’t something we can take away on a whim — it’s included by default.

For example, we don’t collect much data about our customers. We have your email, your payment information if you upgrade your plan, and that’s about it. (You can see how we minimize data collection in our privacy policy.) We just have no interest in having that data because our business model is based on offering private and secure services to our customers. We’re funded entirely by our community and thus don’t need to sell data to advertisers.

We’re also less exposed to law enforcement orders since we’re based in Switzerland and thus are subject to Swiss privacy laws, some of the strictest in the world.

Even if we wanted to access your data or share it, we can’t. Proton uses end-to-end encryption on all our apps. This means your files are encrypted on your device before they’re uploaded to our servers. This protects your privacy, but also makes it so there’s not much for hackers to steal in case of a breach.

All this is part of our mission to create a better internet. If that, as well as a more secure, private cloud storage alternative, sounds like something you’d want to be part of, create a free Proton Drive account and join us.

What’s your data really worth?

Ben Wolford — Thu, 08 Feb 2024 10:46:55 GMT

There’s a saying that data is the new oil because of how valuable it is to the digital economy. But what’s the value of your data, personally? Depending where you live, information about you could be worth at least several hundred dollars a year to Facebook and Google alone.

For someone living in the United States, your data generated over $600 in revenue for just those two companies last year, according to our analysis of their regulatory filings. (We explain how we reached this number below.)

That doesn’t include the income you generate for other ad tech companies, data brokers, internet service providers, dark web marketplaces, and any number of other entities that leach profit out of your behaviors and attributes.

This is the price you pay for supposedly “free” services. But the bigger problem is that there’s not much protecting you from Big Tech’s incentives to grab as much data as they can, even if it’s without your consent. They’re motivated to violate your privacy and even ignore the privacy laws on the books. They will happily pay any fine as long as they can continue to exploit you. Once they have your data, you can’t control what happens to it and it could even be exposed in a data breach.

When you consider how lucrative your data is, it’s easy to see why Big Tech tramples on your privacy at all costs.

The price tag on your data

One of the reasons it’s so easy to give away your data is that it’s so difficult to understand its value. That’s partly because the companies profiting off you want you to believe their services are “free”. In reality, you pay for free services with the intimate details of your life.

But what are you actually paying? We decided to try to figure out the price in dollars.

The best place to start is with the two companies that make the most money from data: Alphabet and Meta. Specifically, we looked at Google and Facebook, the flagship products of these companies.

How much your data is worth to Facebook

Facebook’s numbers were easy to calculate because they disclosed them in the company’s earnings presentation for the third quarter of 2023.

For users in the United States and Canada, the average annual revenue per user was $217.26. (Over 99% of Facebook revenue comes from advertising.)

In Europe, the annual revenue per user is about $70. Globally it was $42.34. Meta says the sharp disparity between the US and Canada and the rest of the world is “primarily due to the size and maturity of those online and mobile advertising markets”. Interestingly, Facebook recently offered EU users the ability to pay €9.99/month in order to not see ads, placing the value of each person a bit higher than current revenue. (There’s no privacy benefit, however, as Facebook will still collect your data, even if you opt for the ad-free tier.)

These revenue figures don’t include Instagram, WhatsApp, and other platforms, which had 3.74 billion monthly active users as of December 2022. The company doesn’t break out average revenue for its “family of apps” by geographic region, so it’s difficult to know the relative value of people’s data across Meta.

How much your data is worth to Google

It’s a little harder to quantify the per capita spoils of Google’s sprawling ad machine. The company doesn’t disclose exact figures on how many people use its various services where ads are displayed. But it’s possible to get a rough approximation by looking at Google Search, which has the largest market share of perhaps any product in the world.

There are an estimated 5.3 billion people online, and about 90% of them use Google Search. Google reported $224.47 billion in ad revenue in 2022 (not including YouTube ads). So that comes out to about $47 per year per person globally.

But just like Meta, there’s a geographic disparity with Google’s revenue, too. In 2022, 48% of Google’s total revenue came from the United States. If we assume this proportion holds for ad revenue (it’s not clear whether it does), then US advertisers paid Google $107.75 billion in 2022.

If Google Search market share is also 90% in the US, that’s over 274 million people using Google, and the company earns $393 per year from each of them.

Other ways to value your data

That’s already hundreds of dollars per year, just from two companies. But we’re also collectively paying in the tens of billions of dollars to other companies profiting off ads. Amazon reported almost $38 billion in ad revenue in 2022, Apple generated $4.7 billion, and Microsoft earned $12 billion.

And that’s just the Big Tech giants. Companies like Spotify, Twitter, Snap, and others also make money from targeted ads.

Your data is also bought and sold in far less obvious ways. Internet service providers like AT&T, Comcast, and Verizon collect your data and surreptitiously use it to sell advertising and analytics services, according to the FTC. And even your car and grocery store are watching you.

And then there’s the black market, where hackers steal and sell data on the dark web. The advocacy group Privacy Affairs found that the average price paid for a single stolen credit card is $110. Bank account login details, passports, and cryptocurrency accounts can run into the thousands. Apart from the market price is the cost to you of identity theft and financial losses.

It’s important to take in all factors when considering the price of your data. In some cases, such as your Social Security number or passport, you might even consider the data to be priceless.

There’s no need to give away your data

Big Tech has been telling the same story for a decade: that your privacy is a fair price to pay for online services. But after successive scandals, data breaches, and even violations of children’s privacy, people have begun to question this premise.

Our recent survey in partnership with YouGov found that most people believe it’s unethical for Big Tech to profit off their personal information, and they don’t believe they’ve had the opportunity to give informed consent. “Over two-thirds of people don’t understand how online services use their data,” we found.

Given the stakes — hundreds of dollars per year per person from billions of users — it’s no surprise Big Tech is willing to break laws (according to European regulators) to maintain their dominance.

Our position at Proton has always been that privacy should be the default. And while strong privacy laws are important, the most effective way to protect your data from abuse is to use online services with end-to-end encryption.

Unlike Google, which can see everything you do online, encrypted services can’t access any of your private data. For example, when you use Google Drive, the company can see all the files, pictures, and documents you store in the cloud. With Proton Drive, your data is encrypted on your computer or mobile device before going to our servers, and only you can decrypt it with your secret key. We never see it.

There are numerous benefits of keeping control of your data and not giving it away to Big Tech companies for free. Privacy and security are fundamental values that should not be given away. Additionally, using end-to-end encryption helps protect your data from hackers because even if the cloud servers are breached, your files remain encrypted.

Most importantly, in the digital age your online data is synonymous with your identity. Consider the ways in which your personal email is tied to everything you do online, like a digital passport. When you use Google or Facebook, you are giving them the right to control the fabric of your identity, sell it to third-parties, or auction it off to corporations and politicians trying to manipulate you.

Fortunately, it’s now extremely easy to opt out of Big Tech and switch to a privacy-first service. At Proton, we offer Easy Switch which lets you transfer your emails, contacts, and calendar events with a couple of clicks.

Proton Mail iOS privacy label

You can see how we’re different just by checking out our privacy policy. While Big Tech wants as much of your data as possible, we want as little. Our business model is fundamentally different. Though we offer free services, the only way we make money is from subscriptions, meaning your privacy is our top priority.

Considering the $600 in value Big Tech is extracting from you, a Proton subscription is cheap by comparison — particularly since we never do anything with your data and it’s safe from costly data breaches.

Big Tech knows how valuable your data is, so they try to take it from you. We also understand your data is valuable, which is why we think you should keep it safe with strong encryption.

Introducing Proton Pass for Business – a Swiss vault for your team’s passwords

Andy Yen — Wed, 07 Feb 2024 10:20:50 GMT

Your organization’s data is only as secure as your employees’ passwords. Hackers often target employees for this reason, and some of the biggest data breaches in history were the result of weak passwords. Having a secure password manager for your workplace is also helpful for compliance with laws such as the GDPR as an organizational data protection measure.

That’s why today we’re happy to introduce an important new enterprise security tool to our community with Proton Pass for Business. You can now easily create an encrypted Swiss vault to store and control access to your organization’s login details, bank cards, and secure notes.

Since Proton is a Swiss company, you can benefit from the same privacy laws and neutrality that Swiss companies enjoy, outside of US and EU jurisdiction. All data is stored in Europe, on infrastructure that is owned and operated by Proton (no third-party cloud services). Over 50,000 organizations ranging from startups to Fortune 500 companies are already using our other Proton for Business services because of our advanced encryption and data protection advantages.

To help more organizations access better security, we’re offering a rare 50% discount on Proton Pass for Business for a limited time, with pricing starting at $1.99 per user, per month. Companies that claim this launch offer will maintain this price forever.

Learn more

A modern password manager with trusted encryption

We started Proton in 2014 because we were concerned about the future of data privacy and security. Taking a different path from companies like Google and Microsoft, we made end-to-end encryption the default so that we would never have access to virtually any personal data on our servers. Today over 100 million people trust our secure email, calendar, cloud storage, and VPN because we offer a more advanced security, transparency through open source code, and a business model based on privacy, not ads.

Proton Pass is no exception.

Proton Pass encrypts not just passwords but also metadata like usernames and web addresses. Like all our apps, Pass is open source and undergoes regular third-party audits.

Launching a password manager in 2023 gave us an advantage over legacy providers because we could start from a clean slate. We created not just a vault for passwords but a modern identity manager with unique features and no learning curve to start using it.

Here are some of the ways Proton Pass for Business can boost your team’s security and productivity:

Get your team started quickly

Proton Pass for Business is a password manager tailored for teams. We designed our interface to be intuitive, and our community has praised the user experience of the Pass apps. Not only will this reduce onboarding headaches, it will also ensure employees actually use it as intended.

With browser extensions and mobile apps, you can autofill login details and two-factor authentication codes so your team is more efficient and secure.
Easily import your data from any other provider.
Admins can add and manage multiple users and set permissions. Our sharing settings are flexible and allow granular control.

Based in Switzerland and GDPR compliant

Proton must comply with strong data protection laws, including the GDPR and HIPAA, and we can never disclose your data to anyone without a Swiss court order. This makes Proton a neutral safe haven for your business data, committed to defending your business’s digital presence.

See the benefits of Swiss privacy

Stop phishing attacks with built-in 2FA

Two-factor authentication (2FA) is vital for advanced security because 2FA can stop hackers from accessing accounts even if your passwords are exposed in a phishing attack or data leak. But many people often neglect 2FA as they can be tricky to set up. Proton Pass removes the hassle, with 2FA support built-in, and activated with a single click.

Learn about integrated 2FA

Prevent phishing with Hide-my-email aliases

Proton Pass lets you generate email aliases when creating new online accounts or signing up for newsletters. Using email aliases adds a layer of phishing protection for your business by letting you receive emails without disclosing your real email address or business domain. Aliases also help you cut down on spam and prevent identity theft.

Learn about Hide-my-email aliases

Block attackers with Proton Sentinel

Proton Pass for Business plans come with Sentinel, our unique anti-phishing technology that uses AI and human analysts from the Proton cybersecurity team to monitor for suspicious login attempts. This program can block account takeover attacks, even if the attacker has already stolen your password.

Learn about Proton Sentinel

Start protecting your accounts

Because Proton is customer-funded and not venture capital/private equity funded, Proton puts your need for security, privacy, and usability first. Our financial stability means no surprise or unfair price increases, and even the occasional price drop.

We have many new features to Proton Pass in the works and an aggressive roadmap for 2024, building on our strong success in 2023. We’re also rapidly developing new enterprise features across the encrypted Proton ecosystem, so joining Pass is a great way to start adopting more data protection measures in your workplace. Best of all, because Proton is customer funded, you can let us know which features you would like to see next and the most requested ones will be added.

If you sign up for Proton Pass for Business now, you can take advantage of our limited-time offer of 50% off, with pricing starting at $1.99 per user, per month. This is an affordable and simple way to protect your team from phishing attacks and data breaches — as well as making work a lot easier.

Get the deal

Apple’s DMA compliance plan is a trap and a slap in the face for the European Commission

Andy Yen — Mon, 05 Feb 2024 10:09:34 GMT

If there were still doubts over whether Apple is an abusive monopolist, they were emphatically dismissed this week. Apple’s new app store policy that it claims will bring it into compliance with Europe’s Digital Markets Act is a textbook case of malicious compliance (in fact, it’s listed as an example under the malicious compliance Wikipedia entry) that spits in the face of open markets, fair competition, and the European Commission.

As a recap, Apple currently has a number of policies for its App Store that are so abusive that the European Union was compelled to pass a new law, the Digital Market Act (DMA), to rein in some of the worst offenses. These abuses include:

Requiring developers to pay 30% of their revenue to Apple
Banning alternative payment methods
Not allowing developers to inform users about alternative payment methods
Not allowing developers to inform users that they can obtain a service more cheaply elsewhere
Monopolizing all app distribution via the App Store

These practices were almost universally despised, which is why the DMA was passed with broad consensus. Apple’s policy is actually worse than abusive — it’s also bad for privacy as it penalizes app developers who use subscriptions as opposed to an ad-based business model (one of the reasons why Apple is not actually a privacy company despite all of their advertising).

While almost everyone agrees that this is terrible, Apple’s idea of addressing these concerns is to provide an alternative so bad that the current shakedown scheme seems good in comparison. Let’s break down just how absurd Apple’s new proposals are.

Apple threatens major app developers with CTF

The DMA forces Apple to allow alternative payment methods and pressures it to reduce fees. Apple’s response to complaints about unfair fees is, yes you guessed it, a new unfair fee.

Introducing the Core Technology Fee (CTF), a junk fee that serves no purpose other than trapping popular apps in Apple’s current shakedown scheme. By charging a €.50 fee for each install after the first 1 million, Apple effectively uses a popular app’s scale against it to prevent it from using an alternative payment system or app store.

Apple claims it needs this new fee to offset some of the “lowered” fees that Apple’s new policy offers in exchange, but it doesn’t require a PhD in Mathematics to see that this claim doesn’t stand up to scrutiny.

Apple is offering to drop their current fees from 30% for the first payment and 15% for subscription renewals down to 17% and 10% respectively if you use an alternative payment method. However, payment processing is not free, and after factoring in the approximately 3% payment processing fees, the “lowered” fee for app developers is actually 20% and 13%.

Given that the bulk of the lifetime value of a typical subscription user is in the renewals, this essentially means that the “fee relief” that Apple’s new policy provides is just 2%, from 15% to 13%. In exchange, developers must now pay €0.50 per install.

This new fee structure would be devastating for apps that are mostly free, like Proton Mail or Proton VPN. Under this new scheme, app developers like Proton would have to potentially pay millions per year to Apple or stop offering a free app at all, meaning that we would have to stop providing privacy to people who can’t afford it.

The only way to avoid the CTF is to continue with Apple’s current App Store policy. Apple is basically saying that if you don’t want your business to be burned down, you better keep quietly accepting our current shakedown… or else.

Apple kneecaps conversion rates for alternative payment systems

While the CTF works on trapping developers that focus on building a broad user base with a free app, Apple also has a trap for apps that generate revenue via subscription fees or in-app sales by killing their conversion rate.

If you decide to use anything other than Apple’s in-app purchase system, you’re forced to display a “scare screen” designed by Apple, which you cannot modify.

As an organization that relies on paid subscriptions, we have examined this carefully, and the templates that Apple mandates for any organization that wants to link to an alternative payment service are works of art. It’s as though Apple looked up every best practice developers use to maximize conversions and then inverted them to ensure the worst possible outcome.

This is what is shown to the user if you don’t use Apple’s in-app purchase system:

While Apple argues that this is needed to “protect users”, this is clearly a lie. Due to Apple’s arbitrary policies, they currently allow alternative payment systems for dozens of popular apps like Uber, Airbnb, Amazon, DoorDash, the McDonald’s app, and countless others. Yet, you never see such a screen when using one of those apps precisely because Apple doesn’t get a cut of those payments, so it doesn’t care.

This scare screen can only be understood as Apple’s attempt to secure its monopolist revenues, not the safety of your payments.

Apple buries alternative app stores

What if you decide as a developer that you don’t like Apple’s choice of a life sentence in prison or a death sentence, and you decide to explore distribution via an alternative app store? Apple has a plan for you too. First, you’re still eligible for the CTF, so there’s no relief there. But then Apple forces anyone who wants to use an alternative app store through a byzantine process before they can actually download anything.

Just compare the user experience between the App Store and a hypothetical alternative app store based on Apple’s restrictions.

The App Store comes pre-installed on your iPhone as the default. Once you log in to your Apple ID on your iPhone, you can immediately download apps and make purchases.

To use an alternative app store, you would have to:

Go into your iPhone’s settings and change the default settings to allow your device to download an alternative app store.
Go to the alternative app store’s website and download it.
Once you log in to the alternative app store, Apple will show you a scare screen about how it cannot guarantee your safety or refunds.
You’ll then need to go back to your iPhone’s settings to make the new app store the default option on your device.
It’s likely that apps in alternative app stores won’t be able to offer all the same features that an app in the App Store could.

This, combined with the fact that Apple can revoke an alternative app store at any time at their sole discretion and with no liability, means that nobody in their right mind would list their app in an alternative app store, much less develop one.

But just in case you were crazy enough to do that, Apple also made getting a €1 million letter of credit a requirement to develop an alternative app store to make it financially impossible for most developers.

If you choose the new policy, Apple will never let you out

Apple has also forced developers to pick a single policy to operate under. That means you either stick with the status quo or pick Apple’s even worse alternative. But it gets worse than that when examining the fine print.

Let’s say you decide to try to offer alternative payments so that your customers are not forced to go through Apple’s system (which makes them effectively Apple’s customers and not your customers). Apple does not permit you to also offer Apple’s in-app purchase (IAP) system. That means if the user gets scared off by Apple’s scare screen, you cannot provide them the alternative of paying through Apple IAP. Instead, Apple wants to make it so that you likely lose that sale.

Can it get worse? It’s Apple — of course it gets worse. Once you choose which policy you want to implement — the current App Store policy or Apple’s proposed new policy — your decision is permanent. So if you decide to take the risk of trying out alternative payments and it ends up working worse for your business, Apple doesn’t allow you to go back and instead traps you permanently. By making the decision irreversible, Apple has intentionally made picking the new policy a massive business risk for developers, therefore ensuring that nobody will pick the new policy and risk business suicide.

Apple can change its policies on a whim

While one might think that all of the barriers put up above might be enough to deter developers from picking among the choices they’re now legally entitled to under the DMA, Apple has thrown in even more barriers just for good measure.

Apple reserves the right to change its policies at any point in the future at its sole discretion. It can unilaterally create a new API for developers to report external sales in the future or revoke any developer’s right to use an alternative app store at any time with no liability — and these are just the examples it listed in its announcement.

Notably, that means that if you choose the new system, Apple could at any time decide to change the CTF from, say, €0.50 per install to €5 per install. Because of the other conditions that trap you in the new policy, there would be nothing you could do about it. Essentially, you’re entirely at Apple’s mercy, which, if it isn’t clear by now, is obviously Apple’s true intent.

Apple has lost its way

In considering all of the above, Apple’s behavior is that of a vengeful prison guard.

And that’s a pity because it was not so long ago that Apple was the scrappy upstart battling against the big, bad Microsoft monopoly. The company that once encouraged us to “Think different” now doesn’t want us to think at all. Instead, it expects us to quietly accept its increasingly abusive actions. Ironically, if today’s Apple encountered the trailblazing Apple of the 1980s, it would probably try to tax it to death.

With the DMA coming into effect on March 7, 2024, there could be another word that describes Apple’s behavior: illegal.

Will the European Commission rise to the challenge?

Unlike Apple’s arbitrary rules and fees, the DMA is not a random creation but a democratic response to Apple’s long history of abusive behavior. The DMA was passed by a democratically elected body via a legitimate process, and it is now law in the European Union. Apple’s new policy is not only blatantly non-compliant, it’s actively contemptuous of the law, showing complete disregard for democracy.

With this proposal, Apple is signaling that it is above the law and that there is nothing Europe can do to stop it. If the European Commission allows this to go unchallenged, it will be a decision that has dire consequences for the future of Europe and the rest of the world. At this important crossroads, there should be only one path the European Commission can take — if it can muster up the courage.

Appendix

A table of the “choice” Apple is giving developers

Apple claims it’s giving developers the ability to choose the plan that fits them best — but if you examine them, it’s clear that it’s tilting the benefits towards remaining in the App Store. We break down the details in the table below:

	Current App Store policy	New policy for the App Store	New policy for an alternative app store
Apple’s standard fees	– 30% of all subscriptions and in-app purchases. – 15% for developers in the App Store Small Business Program (or for subscriptions after the first year).	– 17% of all subscriptions and in-app purchases. – 10% for developers in the App Store Small Business Program (or for subscriptions after the first year).	NA
Apple’s additional fees	None	Core Technology Fee (CTF) of €0.50 or first annual installation above 1 million installations over a 12-month rolling period.	Core Technology Fee (CTF) of €0.50 or first annual installation above 1 million installations over a 12-month rolling period.
Payment processing	Handled by Apple’s IAP system for no additional fee.	– Handled by an external payment processor for 3% fee. – Apple will show a scare screen. – Cannot use Apple’s IAP system at all.	– Handled by an external payment processor for 3% fee. – Apple will show a scare screen. – Cannot use Apple’s IAP system at all.
Conditions to link out of App Store for subscriptions	Banned	– Can only go to the developer’s website. Developers cannot share info about subscriptions on the app’s product page in the App Store. – Apple will show a scare screen.	NA
Conditions to use alternative app stores	Banned	NA	– Apps must be offered via alternative app stores — developers cannot offer app downloads directly from their website. – Apple must review and “notarize” each app, meaning it can prevent apps from appearing in external app stores and dictate what features they can and cannot offer. – Apple can refuse to give developers permission to use external app stores or revoke previously given permission at its discretion.

Anyone who decides to opt out of Apple’s current policy and use an alternative payment processor or app store must also track their users’ subscription fees and report them to Apple so that Apple can invoice them. Apple also reserves the right to audit these developers’ financial records to ensure they’re paying the proper amount of fees.

How to export passwords from Chrome

Fergus O'Sullivan — Fri, 02 Feb 2024 13:29:43 GMT

If you want to leave Google, one of the first things you must do is stop using its proprietary browser, Chrome, and its built-in password manager. A vital first step towards leaving Google is downloading your passwords so you can transition more easily to a new, better password manager. This article explains how you can quickly export your passwords from Chrome.

It’s a fairly simple process and shouldn’t take more than a few minutes. We’ll also show you the benefits of signing up to our own password manager, Proton Pass, and how to import your passwords.

Why export Google Chrome passwords?
How to export passwords from Chrome
- Deleting your passwords from Chrome
What to use instead of your Google account

Why export Google Chrome passwords?

Exporting your passwords from Chrome is just another step on your way to claiming your freedom from Google. Though its search is very efficient, Google’s real business model is making money off your data by using it to target you with ads. It uses some pretty underhanded tactics to do this, too, like privacy washing, where the company pretends to care about privacy even while monitoring your every move online.

Chrome’s password manager is just another tactic Google uses in its money-making strategy. If you use Chrome’s password manager, you have to use Chrome, Google’s browser. By locking you into its ecosystem, Google can track more and more of your data, which means more ads and more revenue.

More importantly, the Chrome password manager lacks some of the basic features you should expect from a password manager. It’s not as safe as it should be, and misses features like a built-in two-factor authentication code generator, the ability to generate secure passphrases, and more.

If you’re tired of Google, leaving is as simple as switching off Google password manager, exporting your passwords, and choosing a better alternative.

How to export saved passwords from Chrome

To export your passwords, go into Chrome and click on your profile picture in the top right. A menu will pop out. Click on the key icon to access Chrome’s password manager.

In the new screen, select Settings in the menu to the left.

You’ll see a list of options. Where it says Export passwords, click on Download file.

Chrome will prepare a CSV file for download (it’s a file format used to store tabular data). Download it to the location of your choice. You’ve exported your passwords from Chrome.

Deleting your passwords from Chrome

All that remains is to delete your passwords from Chrome. Sadly, Google makes this step hard for you. You’ll have to manually delete all passwords, one by one. To do so, click on a password entry in the main screen of the manager. The entry will pop up, then click Delete.

It’s a lot of work, but Google seems to like it that way — another reason to leave.

What to use instead of your Google account

With your passwords exported, you may wonder what’s next. After all, you shouldn’t give up using a password manager — they’re too useful and too effective at protecting your security. We’ve developed Proton Pass as an alternative password manager, one that puts privacy and the user first.

For one, you can use Proton Pass in any browser — we don’t lock you in like Google does. It’s also more versatile, letting you add credit cards and secure notes. Best of all, we also let you create logins using an email alias, meaning your real email address remains unknown, adding a layer of protective anonymity.

You can also be confident that with Proton, no one will be able to access your information without your permission. We use end-to-end encryption on all our apps, meaning that besides you, no one, not even Proton, can look at your data, such as your passwords. This means that you’re protected even in the unlikely event that Proton suffers a breach — your passwords and data would remain securely encrypted and safe from hackers, marketers, and anybody in between. This is a marked contrast from other password managers, such as LastPass.

We can offer your data this much protection because, unlike Google, Proton was designed with privacy at its core. We’re entirely funded by members of our community, meaning our only concern is how to serve you best.

If that sounds like something you’d want to be a part of, sign up for a free Proton Pass account today. You can import your passwords to Pass in just a few steps and be using a more secure Chrome password manager alternative in minutes.

What is ransomware and how do you prevent it?

Fergus O'Sullivan — Mon, 29 Jan 2024 12:52:57 GMT

Ransomware is one of the more common and dangerous forms of cybercrime, but what is ransomware exactly? In this article we’ll explain how it works, and what you can do to prevent becoming the victim of a ransomware attack — and how to recover if you ever are.

What is ransomware?
How does ransomware work?
How to protect against ransomware
- How to prevent ransomware infection
- Backups and versioning

What is ransomware?

Ransomware is a type of malware that infiltrates your device, then encrypts your files, folders, or even the entire drive so you can no longer access them. The only way to decrypt your data is to pay a ransom (usually in the form of cryptocurrency) to the attackers. It’s extortion, plain and simple: If you don’t pay, your files are locked away forever or even destroyed.

To give you an idea of how common, and how serious, the problem of ransomware is, the American insurance company Corvus reports that attacks were up 95% in 2023 compared to 2022, and this number is expected to rise. According to Corvus, last year there were as many as 4,000 victims reported on dark web sites; there are likely thousands more. The number of victims over the past two decades, when ransomware first became mainstream, is almost impossible to calculate.

How does ransomware work?

Ransomware is a kind of malicious software that infects your computer, often as a Trojan horse virus (usually just called a Trojan). Trojans are so named because they’re disguised as something else — a handy program, a useful PDF, or important spreadsheet — and once on your hard drive will reveal their true nature.

Where many computer viruses exist to extract information or simply to cause havoc, a ransomware virus will instead encrypt either an entire hard drive or parts of it. When the victim tries to access the computer or the folder, they receive a message that the files are encrypted and that a sum must be paid to either a bank account or, more likely, a crypto wallet.

Once the victim gets the money or cryptocurrency together and transfers it, the attacker then sends a password that should once again decrypt the drive or folders. However, in practice it often doesn’t happen this way, and many victims don’t receive a password upon payment.

As a result, it’s best not to pay ransomware attackers. If they could be trusted to uphold their end of the bargain it could be something you could risk, but that’s usually not the case. According to research done by Sophos, roughly 50% of companies that paid up actually got their data back. The rest did not.

That’s not great odds to begin with, but there’s also the risk of establishing a reputation as someone who pays attackers. According to one study, at least 80% of companies that paid were attacked again, often by the same group that targeted them the first time. As a result, it’s much better to prevent attacks instead, or at least make sure you can recover from them more easily.

How to protect against ransomware

Protecting and dealing with ransomware needs a two-pronged approach: On the one hand you need to make sure you don’t get infected, and on the other you have to have systems in place in case you do.

How to prevent ransomware infection

Prevention is better than any cure, so let’s start there. Since ransomware is almost always a virus, you want to make sure you don’t download strange files, especially from unknown sources.

The biggest threat to be aware of is phishing, in which an attacker will contact you impersonating a person or institution you normally trust. The aim is usually to get you to give up personal information, or in the case of ransomware, get you to download the virus. Always verify whom you’re dealing with.

On top of that, never download files unless you know what they contain. That goes for unexpected emails, text messages, and websites. Fake sites are a popular way to distribute all kinds of malware, so check you’re on a legitimate site before downloading any files.

Backups and versioning

Of course, in any organization people make mistakes, and you can never rule out a successful ransomware attack. If a ransomware attack does pass your defenses, there is another option besides paying. You can ignore the attack, overwrite the hard drive, and then reinstall from an existing backup.

For this, you need a cloud storage service that can perform backups of vital files by syncing them. But the service needs to go one step further: The backups also need to create versions of files for every sync. This is because when attackers encrypt a file, that’s the version that gets uploaded to the cloud; with versioning, you can just roll back to an earlier version.

Proton Drive can do both these things. Through our syncing feature on both the Windows and macOS desktop app, you can sync any file or folder from your device. Any time you make a change to those files, a new version is created, which you can then recall through our version history feature. If you get hit with a ransomware attack, you just wipe the hard drive, restore your files, and get back to work, no ransom paid.

Besides protecting files from ransomware, Proton Drive also keeps them safe from more direct attacks. For example, it uses end-to-end encryption, which prevents anybody but you from seeing what’s in your files. We also don’t have access to your passwords. Taken together, this means you and your business are at far less risk of a breach than with other cloud storage services that don’t use end-to-end encryption.

If better security, smarter backups, and improved privacy sound like something you need, then try out Proton Drive for free.

How to store and manage your passwords safely

Douglas Crawford — Fri, 26 Jan 2024 13:17:59 GMT

Your passwords (or more accurately, your usernames and passwords) are the keys to your digital life. They are the first (and often only) line of defense, preventing hackers and other bad actors from ransacking your bank accounts and pillaging your personal details to steal your identity. It’s therefore vital to create strong and unique passwords for every service you use.

Learn more about how to create strong passwords you’ll actually remember

Creating strong passwords is a good start, but you’ll also need to store them safely in a way that you can access when you actually need them, plus edit them and add new passwords when you sign up for new services.

In this article, we look at how to store and manage your passwords safely.

Use a good password manager
Secure your password manager with a strong master password
Secure your password manager using 2FA
Share your passwords securely
Be wary of phishing
Final thoughts

1. Use a good password manager

The single most important thing you can do to keep your passwords safe and accessible is to use a good password manager. These can generate, store, and autofill strong, unique passwords for each of your accounts, and can sync your passwords across all your devices.

Password managers encrypt your passwords, notes, bank card details, and other sensitive information so that no one but you can access them. Some password managers, however, are more secure than others.

For example, LastPass suffered a catastrophic data breach that would have been less serious if it encrypted all of its customers’ data (metadata such as URLs, file paths to installed LastPass Windows or macOS software, and certain user email addresses were unencrypted).

Proton Pass is a password and identity manager that securely stores passwords, credit cards, and other data (including all metadata) using end-to-en encryption. It also suggests email aliases when creating accounts so you don’t have to share your real email address.

Learn more about the Proton Pass security model

2. Secure your password manager with a strong master password

A good password manager will keep your passwords safe — but it also needs to be secured itself using a strong master password. This is a single password (or better yet, passphrase) that you use to access your other passwords (and related data).

This is great, because you need only remember one password. However, it’s also a potential point of failure because if someone guesses your master password, they can access all your passwords (and other sensitive information).

It’s therefore vital to create a master password that is strong, but that also you’ll remember. One easy way to do this is with our online password generator. If using this, we suggest generating a Memorable password.

3. Secure your password manager using 2FA

One-factor authentication requires something you know (your login details). Two-factor authentication (2FA) requires an additional piece of information that proves your identity. This is usually a physical device, such as your phone or a 2FA security key.

Unless an adversary has physical access to this device, they can’t access your accounts. Two-factor authentication therefore provides a valuable additional layer of security for your account, and this is never more important than when securing your password manager.

Learn more about two-factor authentication

You can secure your Proton Account (including your access to Pass) with 2FA using a third-party TOTP authenticator app or a U2F or FIDO2 security key.

It’s worth noting that Proton Pass features an integrated 2FA authenticator. For security reasons, you shouldn’t use this to secure your Pass master password, but it does provide a convenient way to protect your other accounts with 2FA.

Sometimes you need to share passwords with friends, family, and colleagues. If you can’t do this in person, then be careful to use a secure end-to-end encrypted communications channel.

Learn more about end-to-end encryption

Many popular channels, including most email services (such as Gmail, Outlook.com, and iCloud Mail) do not use end-to-end encryption. This means the service provider can see the contents of all your messages. Please also be aware that on Telegram, only Secret chats are end-to-end encrypted.

Learn which messenger apps are good for privacy

Arguably the worst communications channel to share passwords on is SMS. SMS texts are not encrypted in any way, and the technology that underpins the SMS network is heavily compromised by hackers (both criminal and state-sponsored).

Learn why you should stop using SMS

Safe ways to remotely share your passwords must use end-to-end encryption. This includes secure messaging apps such as Signal, email services such as Proton Mail, and via files stored on secure cloud storage platforms such as Proton Drive using password-protected links.

Alternatively, the Proton Pass app offers a secure Password Sharing feature that allows you to easily share your passwords, usernames, credit cards, and other data stored in Proton Pass with anyone. Your data stays end-to-end encrypted, and you can revoke access anytime.

Learn more about Password Sharing in Proton Pass

5. Be wary of phishing

Phishing scams try to trick you into downloading malware or revealing sensitive data (such as your bank password and username). Phishing attacks come in many forms, but the one people are probably most familiar with is the scam email that purports to be sent from a legitimate company and contains links encouraging you to sign in to a fake copycat website.

Learn more about phishing

To keep your passwords secure, be cautious about where you enter them and always verify the authenticity of the website or service before inputting your credentials.

With Proton Pass’s Hide my email feature, you can create unique email aliases for each service you sign up for, which are then instantly forwarded to your inbox. You can disable or delete these aliases as needed. As less websites have access to your real emsil address, Hide my email helps to protect you against phishing (and also spam).

Final thoughts

Managing your digital security through strong and unique passwords is not just a good practice, it’s necessary if you want to prevent your accounts being hacked. By utilizing a reliable password manager like Proton Pass, strengthening it with a robust master password, and reinforcing it with two-factor authentication, you place a formidable barrier between your personal information and potential intruders.

Additionally, understanding the importance of secure password sharing and remaining vigilant against phishing attempts are crucial steps in safeguarding your online presence. Remember, each step you take towards securing your passwords is a stride towards protecting your digital identity.

A timeline of Dropbox security issues

Fergus O'Sullivan — Fri, 26 Jan 2024 10:28:50 GMT

Dropbox was the first mainstream cloud storage service available and has blazed many trails for the industry. Sadly, it has also made a lot of missteps over the years, the worst of which was the Dropbox breach of 2012, the biggest the industry has seen. We put together this timeline of Dropbox security issues so you can decide for yourself if this is still the provider for you.

If after reading you’re ready to make the jump, check out this quick guide to deleting your Dropbox account. And finally, as you’re considering a Dropbox alternative, we also share information below about Proton Drive, which is a lot more secure.

Dropbox security breaches: a timeline
- 2011
- 2012
- 2013
- 2017
- 2018
- 2022
What can you use instead of Dropbox?

Dropbox security breaches: a timeline

Dropbox was started in 2008 and from 2011 has experienced some kind of breach almost every year since then, though the pace has slowed down somewhat recently. Still, when deciding which cloud storage service to trust with your files, it’s important to look at their track record.

2011: Dropbox password bug

Dropbox’s first scandal came in June 2011, just three years after it was founded. Thanks to a bug, for a period of about four hours the Dropbox system would accept any password you gave it, meaning that anybody could gain access to any account as long as they knew the username or email — a good case for using a safe username.

That said, it should be noted that actually fixing the issue took the Dropbox team just five minutes once they were notified about it. However, during those four hours every Dropbox account was wide open. It was pure luck that no attackers found out about the vulnerability in that time span.

2012: Dropbox breach, 78 million passwords compromised

In July 2012, Dropbox reported that some usernames and passwords were stolen from other sites and then used to access Dropbox (a good reason to create strong passwords for each site separately). Dropbox responded by deploying security measures to make unauthorized access harder.

So far, so good, but in 2016 it came out that Dropbox hadn’t told the whole story: Among those hacked in 2012 was a Dropbox employee who had used his company password on LinkedIn, as well. This gave the attackers access to Dropbox’s systems.

Once the story broke in 2016 — four years after the initial breach — it quickly came out that around 68 million users had been compromised, making it the biggest hack in cloud storage history, and one of the bigger ones in internet history, period. On top of that was the scandal of Dropbox, a huge company, taking four years to acknowledge the full scale of the damage done.

2013: PRISM allegations

When in 2013 Edward Snowden revealed to The Guardian newspaper that the United States government was spying on people all over the world through the PRISM program, one of the names that came up was Dropbox. According to Snowden, the company was eager to work with the US authorities, calling it a “wannabe PRISM partner”.

It’s unclear whether Dropbox ever joined the PRISM project — the company has always denied doing so — but it should probably give people pause that any cloud storage service would be described as being enthusiastic to join a massive surveillance conspiracy.

2017: Resurrected data

In January 2017, some Dropbox users encountered something very odd: Files they had deleted, in some cases years ago, suddenly reappeared in their Dropbox accounts. After some research, Dropbox found a bug had crept into the code that prevented files and folders from being permanently deleted.

Though it may seem harmless at first, we often delete files for a reason and the fact that possible sensitive data may have kept living a ghost-like existence even after being destroyed is a very serious issue. Again, not something you’d expect from a company like Dropbox.

2018: Data shared without consent

In July 2018, an interesting Harvard study was published in which the collaborative efforts of thousands of people were used as data points to determine how teams can work together. Riveting stuff that came up with some very original findings. The data used, though, was data from Dropbox, and the people involved were never asked if it could be used this way.

Though the data used was anonymized before being sent to the researchers (something that wasn’t made clear in the first version of the article), it should still make you uncomfortable that a service you trusted with your data shared it with third parties without your say-so, anonymized or not.

On top of that, you could argue that anonymous data isn’t all that anonymous as there are ways to reconstruct somebody’s identity even when names are removed from digital dossiers.

2022: Return of the phishing attack

The most recent Dropbox scandal was in November 2022, when once again a Dropbox employee’s credentials were stolen during a phishing attack.

This time around, the attackers impersonated GitHub, a site where developers store their code. In this case, the thieves made off with emails and passwords belonging to both Dropbox employees as well as customers. It should also be noted that it was GitHub itself which flagged the attack, not Dropbox.

In response, Dropbox stated that at no time were customer files in danger, nor were any of its core modules, the parts that make up Dropbox and therefore could threaten the whole system if exposed. Lucky for them, but it’s cold comfort for anybody whose email was used by cybercriminals.

What can you use instead of Dropbox?

As the above timeline demonstrates, Dropbox could do a lot better than it does — and has done. Though it’s not LastPass levels of bad, it has dropped the ball on more than one occasion. Often the scope and severity of the incidents were not reported by Dropbox, suggesting a lack of awareness or transparency. And more often than not the breaches were caused by poor security practices.

In particular, Dropbox’s lack of end-to-end encryption is concerning. When a cloud storage service protects your files with end-to-end encryption, it means your data is encrypted on your device before going to the cloud. Any subsequent breach of the cloud servers would not result in any data being exposed. We go in more details of these and more in our article on Dropbox security.

It’s with these flaws of mainstream cloud storage providers in mind that we developed Proton Drive, a secure, end-to-end encrypted alternative that offers top-of-the-line security and a pleasant user experience all in one. Even if we wanted to see your data — and we don’t, because our business model is to protect your privacy — we simply can’t access it anyway.

This promise of privacy has been at the core of Proton since we were founded, and thanks to our supporters, we have been able to do so without needing outside funding. So our only obligation is to you, our community.

If using a secure and private cloud storage option sounds good to you, join Proton Drive for free and get a taste of what a private web would be like.

We’re changing the price of Proton Pass Plus

Andy Yen — Thu, 25 Jan 2024 12:11:42 GMT

We want to share a quick update and thank you for all your invaluable feedback and support that has helped our team build a privacy-first identity and password manager from the ground up.

To serve your best interests, Proton doesn’t rely on venture capital investors, and we price our services to ensure sustainability. This means that, generally speaking, Proton is never the cheapest option in any of the markets we serve, particularly when factoring in our extra emphasis on security and privacy and our Swiss jurisdiction. It also means that when our costs go up in an unsustainable way, we must increase prices.

However, because Proton is community funded and not investor funded, Proton isn’t subject to the relentless drive to maximize profits to the detriment of our community. This has allowed us to have unparalleled price stability in the tech industry. For example, our first paid product, Proton Mail Plus, has maintained the same price since 2014, even as inflation has increased dramatically.

If we increase prices when costs go up, it’s only fair that we also reduce prices when costs go down — and this does happen from time to time due to economies of scale. For example, a few years ago, we tripled the storage that comes with our Proton Mail Plus plan without increasing prices.

Thanks to the swift adoption of Proton Pass and the rapid growth of the paid Proton Pass user base, we have achieved economies of scale sooner than anticipated. For this reason, we’re decreasing the price of Proton Pass Plus from $3.99/month to $1.99/month on the annual subscription for both new and existing customers.

See the new Proton Pass prices

With more and more people using Proton Pass, we had to focus on optimizing our architecture and infrastructure to better handle the ever-increasing load. As a result, we managed to reduce our server cost per account, allowing us to decrease prices. We can scale down costs faster because we own and operate all our server infrastructure unlike most other password managers, which rely on third-party cloud service providers such as Amazon Web Services (AWS).

If you’re currently a subscriber to the Proton Pass Plus plan on the old pricing, you’ll receive an email from us with information on how to take advantage of the new pricing.

Thanks again for supporting Proton Pass. We’re continuously working to bring more enhancements and features to make your experience even more enjoyable — stay tuned for important updates in the coming weeks! And, as always, thank you for fighting for a better internet where privacy is the default.

Is LastPass safe?

Fergus O'Sullivan — Thu, 18 Jan 2024 14:36:19 GMT

If you’re shopping for a password manager, one prominent product is LastPass. The company has had a turbulent history, however, which may lead you to wonder, is LastPass safe?

Based on its poor track record of security problems, the short answer is that no, LastPass is not safe, and you should probably avoid it. If you already have it installed, the safest option is to delete LastPass and to export and then delete any data the company holds so it’s no longer at risk.

We don’t often advise so strongly against other online services, and while no system is 100% secure, the persistent security issues at LastPass should raise alarm bells for anyone considering storing their most sensitive data there. Let’s look at why we’ve made this recommendation.

How safe is LastPass?
A timeline of LastPass security incidents
- 2011
- 2015
- 2016
- 2017
- 2019
- 2021
- 2022
What to use instead of LastPass

How safe is LastPass?

There is an abundance of evidence and research that shows LastPass is not safe to use. The company has dropped the ball on several occasions, leading to some of the biggest breaches in web history.

Many of these issues appear to stem from the company’s inability to learn from its mistakes, neglecting to implement much-needed security measures that are usually standard in any password manager, including ours, Proton Pass.

A timeline of LastPass security incidents

LastPass was founded in 2008 and has had some kind of security scandal in most years since 2011. Though not each of these incidents was a full-blown data breach, a picture quickly emerges of a company that does not appear to take security particularly seriously, making disaster inevitable. Let’s go over all major incidents LastPass has experienced in its short existence.

2011: A small, limited breach

The first breach LastPass experienced was a small, limited breach in May 2011 in which the account details of LastPass users — maybe as few as a couple of hundred — may have been exposed. This was likely due to many of these customers using easily deciphered passwords for their LastPass account. Which made them vulnerable to brute-force attacks in which criminals use software to “guess” passwords.

In a now-deleted blog post — a pattern of behavior we’ll see more of in this timeline — LastPass recommended that stronger passwords were used to secure accounts, as well as making sure that any access attempt was verified through an IP address. In the time since 2011, methods to protect against brute-force attacks have improved, but for then it was a reasonable response.

2015: Brute force attack of unknown duration

In June 2015, four years after the last hack, LastPass again was attacked and in much the same way. Criminals tried to brute-force access and managed to get through to the accounts of people who had used weak passwords. LastPass again responded fairly comprehensively, alerting law enforcement and resetting everybody’s master password, forcing users to login via email.

However, LastPass also began a pattern of not revealing any details of the attack, most importantly how many people were affected and how long the attack lasted before it was discovered. The success of a brute force attack can be measured by the time attackers have to carry it out; the sooner you react, the less successful it is. The fact that LastPass didn’t release these details gave the impression it may have lasted longer than would be considered safe.

2016: White hat hacks

The year after the brute force attack there were a number of incidents in which security researchers — white hat hackers who test security with an aim to improve it, not to steal data — managed to get through.

The first was revealed in January. It consisted of a simple phishing attack in which LastPass users could easily be fooled into giving up their credentials. The details of how it worked are explained in Hackread, but most interesting is probably LastPass’ reaction. The company deflected criticism by claiming it was a phishing attack and thus outside its purview, ignoring the fact that companies can plan for these contingencies.

The second incident in July 2016 was a similar scenario, in which Google-employed security researcher Tavis Ormandy — a name we’ll run into again shortly — fooled LastPass’ Firefox add-on to give up user details. LastPass’ reaction was to issue a security advisory in a now-deleted blog post (another vain attempt to delete history) to update the extension.

The final, and worst, flaw was in the same month and found by security researcher Mathias Karlsson. The details are here, but the short version is that LastPass left a nasty bug in its code that let a savvy hacker extract any passwords used on a site via LastPass’ autofill. Happily, LastPass fixed the issue as soon as Karlsson reported it, and also paid him a bounty for finding it.

2017: More bugs, both minor and major

Tavis Ormandy seems to have made LastPass his pet project at some point, as he kept up a steady pace of revelations throughout 2016 and 2017. Most of these were pretty simple and mainly notable for the sheer number of them. LastPass doesn’t seem to have taken quality control very seriously, or at least assumed that people like Ormandy would do it for them.

However, there was one flaw that was deemed serious enough to make it onto the pages of The Guardian in March 2017. Sadly, we don’t know too much about what exactly happened as apparently giving up details might make LastPass users even less safe than they already were. If you think transparency is a vital part of security — and we do — this should be enough reason never to use LastPass.

2019: Ormandy strikes again

Ormandy kept up his work of embarrassing LastPass, finding many minor bugs. However, in September 2019 he again found something bad enough to be mentioned in the press. Like in 2016, this was a bug in a browser extension, this time those for Opera and Chrome, which let attackers extract login information of any sites users had previously visited.

LastPass patched the bug as soon as Ormandy reported it, but was rather sanguine when telling its users, as it “only” affected the extensions for Chrome and Opera; no mention that Chrome is by far the most widely used browser out there.

2021: LastPass caught harvesting data

In February 2021 security researcher Mike Kuketz came with another shocking revelation, namely that LastPass had been using trackers in its password manager. Though the company claimed that it merely did this to see how people were using the product, the fact is such trackers can also be used to gather advertising data.

This is the most likely explanation, too. As Kuketz says, there is no reason to gather information the way LastPass did because there are far more secure and less intrusive ways to do this.

2022: The final nail?

Eventually, though, LastPass’ track record of slap-dash security came back to haunt it. Over the course of several months the company had to admit to several serious breaches, then was caught covering up exactly how bad they had been. We have the full story here, but here is a summary:

In August 2022, the company admitted that a hacker had gained access to the company’s development environment (think of it as a workshop where software is assembled and tinkered with before it’s launched), but had not been able to gain access to customer information. In December, the company admitted that the development environment had been breached again and that this time attackers had stolen customer data.

Then, in March 2023, it turned out that the company had lied in earlier statements and that attackers had stolen a lot more, including sneaking a peek not just at customer data, but even the security architecture of LastPass itself. This pretty much makes LastPass vulnerable forever unless it completely overhauls its architecture.

What to use instead of LastPass

As you can see, the latest LastPass breach doesn’t stand by itself; the company has a long history of not taking security seriously and putting their customers last. Time and again it has failed to put out competent products and then, when caught, downplayed the effect on customers — when not lying outright.

If you’re still a LastPass user, you deserve better. This is why we developed Proton Pass, a password manager that takes security seriously and treats people with respect. We do this through transparency, with all client code being open-source, meaning anybody can check our work. Our code is also independently audited by third-party security experts. Our security is further enhanced by Proton’s bug bounty program that incentivizes security researchers to stress test our code.

Learn more about Proton Pass security.

As a company founded by scientists, transparency and peer review are core values, and we’re guided by a mission to make the web more private and secure.

As a Proton user, you get access to cutting-edge tech that uses two-factor authentication to keep you safe from brute-force attacks, as well as sophisticated anti-phishing technology and integrated privacy features such as Hide-my-email aliases.

If all that sounds good, join us today. We have a guide on how you can easily export your LastPass data to Proton Pass.