Jun 6, 2014

Your LastPass Account Is Safe From the New OpenSSL Vulnerability

About 2 months after the discovery of Heartbleed, more OpenSSL vulnerabilities have now been announced. Though organizations should patch their servers, security experts have stated the latest flaws are not nearly as bad as Heartbleed.

The most critical of the new OpenSSL vulnerabilities is known as an “Injection Vulnerability”. If exploited, this flaw could result in a “man-in-the-middle attack”. Essentially, this means someone positioned on the network between your computer and a server could eavesdrop or alter encrypted data traffic. In theory, sensitive information such as email addresses, passwords, and credit card information could be at risk.

So does this impact LastPass?


In regards to LastPass, please note:

  • Your data stored in LastPass is not affected by this bug
  • Your master password is never shared with LastPass
  • Your vault is encrypted with AES 256-bit encryption before being sent to LastPass over SSL
  • Our servers’ SSL libraries have been updated with the latest fixes
  • You can use LastPass' tool to also identify affected sites: https://lastpass.com/opensslccs/

What should I do?


Although the threat is small, if you have used open or untrusted WiFi, we recommend updating the passwords for any online accounts you may have accessed at that time. LastPass will help you update the password to a new, generated one.

We recommend that users continue to exercise caution on untrusted networks, most notably on public WiFi, and remove WiFi networks from their devices that they no longer need or trust. Most other websites do not encrypt data before transmission like LastPass, and so there may be a risk of exposure to the OpenSSL flaws on other websites over public WiFi.

We will continue to update our community of any developments in the situation.

The LastPass Team