Nov 21, 2014

Game Site Accounts Hacked: Action Required

A hacking group has obtained login credentials for PlayStation Network, 2K Game Studios, and Windows Live. The hackers, known as DerpTrolling, have released a subset of the data to confirm their claim, which LastPass has reviewed and determined the leaked credentials are valid. This group has also claimed responsibility for a DDoS (distributed denial-of-service) attack on Blizzard Entertainment in which they overloaded their servers and shut down the service to users over the weekend.

According to the hacker group, the motivation for the attack was to demonstrate to the gamer community the vulnerability of their information and to compel these large companies to further protect the information of their customers. The breadth of the leaked information could be vast. A member of the group claimed "We have 800,000 from 2K and 500,000 credit card data. In all of our raids we have a total of around 7 million usernames and passwords...We have around 2 million Comcast accounts, 620,000 Twitter accounts, 1.2 million credentials belonging to the CIA domain, 200,000 Windows Live accounts, 3 million Facebook, 1.7 million EA origins accounts, etc."

Action Required

LastPass has deactivated the exposed accounts who reused their LastPass master password with these services. Remember... if you’re reusing passwords, especially your LastPass master password, you’re inviting trouble. We recommend immediately changing the passwords for these affected sites and if you reuse passwords on more than one site, you should take action to change those duplicate passwords as well. Use the password generator in LastPass to create a strong, unique password for every account.

As always, we will stay vigilant and do what we can to protect our users and their information.

Be Secure,

The LastPass Team

Nov 18, 2014

LastPass’ App Fill on Android Gets an Update

At LastPass, we’ve always believed in making it as easy as possible to practice good password security on all your devices. We’re furthering that mission with our latest update on Android, which brings near-universal support for logging in to apps and web sites.

Until now, the structure of some apps, like banking and financial apps, required extra steps to get logged in. Today we're releasing the App Fill Helper, which can fill your credentials in almost any app or web site. It's there when you need it, but can just as easily be disabled or enabled for any or all apps.

The App Fill Helper appears on the edge of your screen, in browsers and selected apps. The helper can be dragged to either side of your screen, so it stays out of the way while being easily accessible to assist with your login.

When you tap the helper, LastPass displays matching logins for the web site or app. In the cases where the web site or app doesn’t allow LastPass to autofill, as we sometimes see with financial apps, the app fill helper will offer convenient copy-paste options instead.

Overall, this update allows us to help you log into more web sites and apps than ever before. Now you’re typing less and getting an improved mobile experience, because LastPass can better handle the huge variety of apps and mobile web sites.

Available in the Google Play Store, the updated LastPass app supports filling logins in Android mobile apps and a number of mobile browsers, including Chrome, Opera, Yandex, Boat Browser, InBrowser, Amazon's Silk Browser, and Javelin.

The LastPass for Android app is part of our Premium service for $12 per year, with a free two-week trial for you to test out the features before upgrading. Or, upgrade today for unlimited mobile sync and even more password management features.

Nov 17, 2014

8 Tips to Protect Your Credit Card This Holiday Season

Gearing up for some online shopping this holiday season? With Black Friday and Cyber Monday only a couple weeks away, now’s a good time to ensure you’re set up for efficient, secure shopping as you check things off your holiday to-do list.

Here are 8 tips to keep you safe - and productive - as you shop online:

1. Don't store cards in browsers or online accounts.

Shopping online involves a lot of tedious forms, which means a lot of repetitive typing as you fill out your name, your address, your phone number, your email, and so on, with every single purchase you make. LastPass Form Fill saves time by filling all that for you. Storing and encrypting your credit cards with LastPass means you don’t need to put your credit cards at risk by storing that information in your web browser or your online accounts.

2. Shop at familiar companies, or research well.

If it’s your first time shopping with a vendor, conduct some research to ensure it’s a legitimate seller. Look for merchant reviews online or ask for feedback amongst your trusted peers. Look for social proof of an unfamiliar vendor by searching for them on Facebook or Twitter to see how legitimate they are. Familiarize yourself with the vendor’s refund policy and contact information, and look at the privacy policy to understand how your information may be used.

3. Look for a locked HTTPS connection.

Before entering your personal or financial information on a website, ensure the website is using a secure connection with SSL. LastPass Form Fill warns you before entering information on a non-HTTPS site. You can also look in the browser’s URL bar to see that there’s a padlock showing, and that the web address begins with HTTPS, confirming that you have a secured connection on that website. Using a secured connection ensures your data is transferred safely when you make a purchase.

4. Give as little personal information as you can.

Many websites won’t let you checkout without confirming some personal details. Choose the option to checkout as a “guest” when you can, or ensure you only fill out the required fields and nothing more. Understand what information they’re asking for and how that data may be used according to their privacy policy. If a website makes it optional to store your credit card, don’t keep it on file. The less information the website stores about you, the less there is at risk of being leaked in case of a data breach.

5. Create a strong, random password when you register.

Every single online account you sign up for should have a different password. When using a password manager like LastPass, it’s easy to create a new one with the LastPass Password Generator as you’re registering for a new online account. You can also login to existing online accounts and update old passwords at any time. And since LastPass does the remembering for you, you don’t have to worry about forgetting any of those new passwords - even if you don’t shop at those sites again for a year or more.

6. Keep an eye on credit card statements.

As soon as your credit card statements are available, review them for any unauthorized charges. If you print receipts from online purchases or save the records sent via email, it’s easier to compare your bank statements against your online purchases. If there’s any discrepancy, it’s best to contact your bank and report the issue immediately.

7. Only connect with secure WiFi.

As you’re submitting your personal and financial information online, it’s important to use an Internet connection that you know is secured. Even if you’re connecting to the website via HTTPS, on an open network it’s much easier to be tricked or phished into revealing passwords, credit cards, and other personal information you submit to a website. You don’t know how well the hotel or cafe secured their open WiFi, so it’s better to leave any transactions and sensitive account logins for later.

8. If it’s too good to be true, it probably is.

It’s thrilling to chase those great deals, especially on Cyber Monday, but be wary of anything that sounds so good that it’s unbelievable from vendors you don't know. Cyber criminals try to lure shoppers with unbelievable prices, fantastic rebates, or free promotions - including mobile apps that claim to give you perks, like free texts or calls, in exchange for logging in or posting something. Unsolicited emails, texts, calls, or social media messages could be an attempt to get you to hand over an account login or credit card information. When in doubt, play it safe.

Nov 6, 2014

Now Use Touch ID to Unlock Your LastPass App

Less than two months after our first app update for iOS 8, which debuted support for the LastPass Safari extension and Touch ID integration, we’re thrilled to let our community know that you can now unlock your LastPass app with Touch ID, too.

Following our initial release, we listened to your feedback and focused our efforts on bringing the features you’ve asked for, further improving the overall experience on iOS. That’s why our update focused on Touch ID improvements that include clearer settings and a simplified way to unlock the LastPass app with your fingerprint.

When first logging in after the update, you'll be given the option to use Touch ID to login to LastPass. Once you opt in, Touch ID is automatically enabled for your LastPass app. You can manage your preferences at any time in the app’s menu under “Settings” where you can toggle “Use Touch ID”.

Next time you multitask back to the LastPass app, you’ll be prompted to enter your fingerprint in place of entering your master password or PIN code. It’s a more convenient experience for you, while maintaining the security and privacy of your LastPass account.

The app update features additional usability improvements, including better interface support on the iPhone 6 and iPhone 6 Plus, as well as new copy-paste notifications that eliminate the need for an additional touch. When using the LastPass built-in browser, the matching sites menu is updated to allow for easier filling of passwords and form fields, too.

Grab these new features by downloading or updating the LastPass app from the App Store on your smartphone or tablet running iOS 8. If you’re not using LastPass Premium yet, a free 2-week trial is available for the LastPass app so you can try these features before you upgrading for unlimited mobile access and sync.

Nov 3, 2014

Are You Ready for the Online Shopping Season?

With Halloween behind us and Cyber Monday four weeks away, the holiday shopping season is officially here. This year, 56% of shoppers are expected to buy online and spend $800 on average. That’s a lot of purchases! And every gift purchased means reentering your personal details over and over again as you complete the buying process.

That’s why it’s essential to have LastPass ready to help you, so you can make this year’s shopping easier. Form Fill simplifies online shopping by instantly filling in those repetitive shipping, billing, registration, and payment details for you. It also means you're not restricted to the major e-commerce sites that already have your credit card details saved. The best deals are often found outside the major Internet retailers!

Start preparing now with these tips on using LastPass Form Fill, so you can save precious time this holiday season:

Add a Form Fill Profile.

You can add a Form Fill profile at any time from the LastPass Icon’s Form Fills menu, or from the LastPass vault under the “Actions” menu.

Complete the profile with your first and last name, email address, shipping address, credit card, and more. Use the “Name” field to clearly label each profile, so you’ll know which one you need at a glance.

If you have more than one credit card or debit card, or more than one shipping or billing address, simply create a profile for each so you can mix and match as you shop online.

Use a Form Fill Profile.

Once you’ve created your Form Fill profiles, you’ll be able to use them on any form. When you’re checking out, for example, you’ll see a profile icon in one of the fields on the page.

Clicking the profile icon opens a menu listing your stored profiles, and you simply click the profile you want to use for that form. LastPass instantly fills in all the details for you!

If the Form Fill icon doesn't appear in the field, you can also fill at any time from the LastPass icon Fill Forms menu and select your profile of choice.

The Easiest Way to Shop.

LastPass Form Fill is a life-saver as you shop online this holiday season. Using Form Fill means less typing, less reaching for your wallet, less hassle as you make your purchases. It also means LastPass is there to help you create and store any new online accounts.

Add a profile today and set yourself up for a more enjoyable online shopping experience this holiday season!

Oct 27, 2014

How Secure Is Your Workplace?

Think your personal security habits only affect you? Think again. The lines between personal and work are more blurred than ever as more companies transition to a BYOD (Bring Your Own Device) environment. What does that mean for cyber security? Below, we’ve rounded up alarming statistics showing the increased cyber security risks businesses are facing:

Employees are the weakest link due to both bad passwords and the risks of phishing. LastPass Enterprise addresses both issues and helps strengthen the first line of defense in protecting corporate data and consumer records. Start a free trial of LastPass Enterprise today, so your employees can use a generated password for every online account, without sacrificing productivity.

Oct 22, 2014

Open Sourced LastPass Command Line Application Now Available

There’s big news here at LastPass! We’ve released and open sourced a new command line client application. Whether you work as a developer, or in IT operations, or are just a tech-savvy LastPass user, our command line application makes it easier for you to get to data stored in LastPass on the terminal on Mac, Linux, and Windows under Cygwin.

The LastPass command line application brings both better security and convenience by allowing you to access, add, modify, and delete entries in your online LastPass vault, all from the terminal. You can also generate passwords for every server you use and securely store those passwords directly in LastPass. LastPass Enterprise features are supported as well, including Shared Folders.

Diving Into the Details

Users who prefer the command line can access their data directly with “lpass ls” then using “lpass show -c --password Sitename” to put the Sitename password on the copy buffer. You can utilize “lpass show” to store passwords used in scripts, rather than putting passwords in the scripts themselves. LastPass can also be used as you work within the command line to help you login to servers. We’ve included some example scripts below.

The new tool is beneficial for LastPass users who want to use the command line to login to other machines as they work. There are examples such as contrib/examples/ which shows automated password changing on a server. You could run it automatically on a nightly basis, regularly changing the password on the server as a security measure.

The command line application is hosted on Github at where we will continue to develop it for further applications and uses. We’d be happy to accept pull requests for further examples and increased capabilities.

lpass, like git, is comprised of several subcommands:

lpass login [--trust] [--plaintext-key [--force, -f]] USERNAME
lpass logout [--force, -f]
lpass show [--sync=auto|now|no] [--clip, -c] [--all|--username|--password|--url|--notes|--field=FIELD|--id|--name] {UNIQUENAME|UNIQUEID}
lpass ls [--sync=auto|now|no] [GROUP]
lpass edit [--sync=auto|now|no] [--non-interactive] {--name|--username|--password|--url|--notes|--field=FIELD} {NAME|UNIQUEID}
lpass generate [--sync=auto|now|no] [--clip, -c] [--username=USERNAME] [--url=URL] [--no-symbols] {NAME|UNIQUEID} LENGTH
lpass duplicate [--sync=auto|now|no] {UNIQUENAME|UNIQUEID}
lpass rm [--sync=auto|now|no] {UNIQUENAME|UNIQUEID}
lpass sync [--background, -b]

You can view the full documentation in the manpage,
'man lpass' or view it online.

Oct 17, 2014

Halfway There! Have You Improved Your Security This Month?

The past two weeks have quickly passed, and that means we’re now halfway through National Cyber Security Awareness Month. To kick off the month we challenged you to put your passwords to the test by running the LastPass Security Challenge and taking steps to improve your security score. That means generating new passwords to replace weak ones, or trying multifactor authentication, or updating your master password to an even stronger one. Have you made progress? You’ve still got two weeks, let’s see how high you can make your score!

And as we pause to think about ways we can better protect ourselves online, we’re sharing more tips below from STOP.THINK.CONNECT and, reminding you how to protect your data, your machines, and your community, this month and all year long:

Keep a Clean Machine

  • Keep security software current: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
  • Automate software updates: Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option.
  • Protect all devices that connect to the Internet: Along with computers, your smartphones, gaming systems and other web-enabled devices also need protection from viruses and malware.
  • Plug & scan: USBs and other external devices can be infected by viruses and malware. Use your security software to scan them.

Protect Your Personal Information

  • Secure your accounts: Ask for protection beyond passwords. Many account providers now offer additional ways for you verify who you are before you conduct business on that site. 
  • Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password. (Hint: Use the LastPass password generator.)
  • Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals. (Hint: LastPass will remember each unique password for you.)
  • Write it down and keep it safe: Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer. (Hint: LastPass helps you securely manage your passwords & other important records.)
  • Own your online presence: Set the privacy and security settings on websites to your comfort level for information sharing. It’s ok to limit how and with whom you share information. 

Connect with Care

  • When in doubt, throw it out: Links in email, tweets, posts and online advertising are often the ways cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it’s best to delete or, if appropriate, mark as junk email. 
  • Get savvy about WiFi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine. 
  • Protect your $: When banking and shopping, check to be sure the site is security-enabled. Look for web addresses with “HTTPS://,” which means the site takes extra measures to help secure your information. “HTTP://” is not secure.

Be Web Wise

  • Stay current. Keep pace with new ways to stay safe online. Check trusted websites for the latest information, share with friends, family and colleagues and encourage them to be web wise.
  • Think before you act: Be wary of communications that implore you to act immediately, offer something that sounds too good to be true or ask for personal information.
  • Back it up: Protect your valuable work, music, photos, and other digital information by making an electronic copy and storing it safely.

Be a Good Online Citizen

  • Safer for me, more secure for all: What you do online has the potential to affect everyone – at home, at work and around the world. Practicing good online habits benefits the global digital community.

Find a downloadable version of the above tips and more great resources at

Oct 16, 2014

What Does Your Password Say About You?

A deeper dive into the passwords from the recent Gmail leak reveal some interesting psychology on why we choose the passwords we do. For one thing, the generated passwords are very easy to spot when you take a look at the data, because they’re so rare. That means most of us are still creating our own short passwords rather than using a password generator. And when we create those passwords, we default to words, phrases, or variations of familiar patterns, because they're easier to remember.

Check out what our follow-up analysis of the Gmail data reveals:

Oct 13, 2014

6 Ways to Lock Down LastPass on iOS

LastPass offers many security features to help you protect your account and be safer online. Did you know there are also mobile settings to help you better secure your LastPass app? Check out these 6 mobile security features for iOS today:

1. Use Multifactor Authentication

As we’ve mentioned before, multifactor authentication adds another layer of security to your LastPass account by requiring a second login step before allowing access to your vault. Usually this means entering a code or otherwise proving that you are who you say you are.

LastPass is compatible with many multifactor authentication options that are also available for mobile use. Apps like Duo Security, Toopher, Transakt, and Google Authenticator all install on your mobile device and allow convenient mobile access, while still maintaining the security benefits of running multifactor authentication with LastPass.

2. Add a Fingerprint Prompt with Touch ID

With the release of iOS 8, LastPass now supports Touch ID verification as an alternative to the master password reprompt on the iPhone 5S and 6. This means that when you turn on master password reprompt options, account-wide or on a site-by-site basis, you can use Touch ID as a replacement to entering the master password when using the LastPass Safari extension (and we continue to expand this new feature!). In situations where the app would prompt for the master password, you’ll instead be prompted to authenticate with your finger. For more on setting up and using this feature, check out our video tutorials.

3. Restrict Access to Specific Mobile Devices

Whenever you login to the LastPass mobile apps, LastPass remembers that mobile device for you. On your desktop, you can see this list by opening your LastPass Vault, launch Settings, and view the Mobile Devices tab. Any smartphone or tablet you’ve used with the LastPass app will be listed there, with a unique identifier for each device.

LastPass then lets you restrict your logins on mobile devices to just that list. So, let’s say you have an iPhone and an iPad that you use regularly. After logging in to those devices, you could launch your account settings and check the option to restrict login to those two mobile devices only. If someone were to ever try logging in on another mobile device that isn’t on the list, they won’t be able to complete the login. And if a device is ever lost or stolen, you can disable it in your Mobile Devices settings, or you can delete it completely to remove it from the list of permitted devices.

4. Require a PIN Code when Returning to the App

In the LastPass iOS app, you can open the settings menu to toggle the “Use PIN Code” option. Enabling the PIN reprompt options allows you to protect your LastPass app by requiring a PIN code every time you multitask away from and then back to the app. It’s more convenient than constantly re-entering your master password, but more secure than leaving your app logged in and unprotected.

5. Logout Automatically When You’re Not Using the App

To ensure your LastPass app logs out when you’re no longer using it, you can go to the app’s settings menu to tap “Never logoff when idle” and set a time limit. If you’re using the app and then multitask away for a while, your session will end and you’ll be logged out when the designated amount of time has passed.

6. Safely Remove Data by Clearing the Clipboard


If you’ve been copy-pasting any data from the LastPass app to other apps on your phone, you can open the LastPass app settings to tap “Clear Clipboard”, to ensure that the last thing you copied will not be usable.

Try out these features today by downloading the LastPass app from the App Store, and subscribing to LastPass Premium.