Sep 26, 2014

What You Need to Know About the Shellshock Bash Bug

A newly-discovered security vulnerability dubbed the “ShellShock bug” could be more widespread and damaging than Heartbleed.

What is the Shellshock Bash Bug?

Bash, a unix shell typically used on Mac, Linux, and Unix systems, has had flaws that allow someone to trick Bash into doing things it’s not supposed to do, like running programs or modifying data.

The bug could affect any network or website that relies on Unix and Linux operating systems, including Mac OS X. Though you may be running Windows, most web servers on the Internet run on some variant of Unix, so your business or the services you use on a daily basis are likely to run these platforms. In short, the Shellshock bug puts untold millions of computer networks and consumer records at risk of compromise.

By exploiting the Shellshock bug, an attacker can essentially have full access to that server. Since the attacker could take any action that the web server itself could take, the consequences could be disastrous: the compromise of a database, access to files, access to source code, data being deleted, data being changed, running programs, and, perhaps worst of all, deploying malware to compromise the system. This is far worse than Heartbleed, which could reveal data from server memory but didn’t allow direct action on a machine.

Is LastPass Affected?

No, LastPass is not vulnerable to the Bash bug. LastPass does not use Bash on web-exposed interfaces, and we’ve applied the latest patches as well.

We have seen evidence of attempts to exploit the bug on LastPass systems, unsuccessfully. Other companies and researchers have reported observing the same, indicating it’s likely other web services and networks are at risk.

Is There a Fix?

Yes, there’s a patch for most Linux systems, though Apple has yet to release a fix for Mac OS X. The initial patch making the rounds Wednesday was not an effective fix, so the patch should be reapplied. Those managing computer systems should update their networks and machines with the proper patches as they’re released.

What Should You Do?

At the moment, LastPass customers and others should avoid using open, unsecured WiFi if using Mac OS X, until Apple releases a patch. Linux desktop users should update their systems as soon as possible. Windows desktop users are unaffected.

If other services you use indicated they were patched, you can update your passwords and proactively monitor for signs of breach, such as things installing to your machine without action on your part, or suspicious activity on your online accounts.

And if you’re not yet using a password manager, now’s a good time to start. By using a different password for every online account, you make it much more difficult for someone to compromise your most critical online accounts and your personal identity.

Update: Tuesday, September 30th

Apple has now released patches for the "Shellshock" Bash bug that affected Mac OS X, the update should be available from your computer's Software Updates, or you can download them directly from Apple here:

OS X Mavericks:
OS X Mountain Lion:
OS X Lion:

Sep 17, 2014

Get LastPass for iOS 8 Today!

The LastPass app for iOS 8 is here! As we announced last week, our updated app now fills your web logins with our new LastPass extension for Safari, and offers Touch ID integration for an even easier mobile authentication experience.

Today, we’re excited to introduce you to these new features and show you how they work:

With this app update, we’re introducing a mobile experience that’s much more in-line with our vision ... one that’s faster, simpler, and more powerful than ever on iOS.

Once you’ve updated your device to iOS 8, getting started with the new LastPass extension in Safari and the Touch ID integration requires a few simple setup steps:

The one-time setup steps include enabling Touch ID in the LastPass app and toggling the LastPass extension in Safari; please refer to our user manual for a more detailed walk-through.

Grab these new features by downloading or updating the LastPass app from the App Store after you’ve upgraded to iOS 8. A free 2-week trial is available for the LastPass app before upgrading to LastPass Premium for unlimited mobile sync.

Sep 16, 2014

The Scary Truth About Your Passwords: An Analysis of the Gmail Leak

A detailed analysis of last week's leak of 5 million Gmail logins reveals some alarming statistics. The infographic below takes a look at the reality of our bad password practices, highlighting the ongoing use of weak, dictionary-based passwords that are leaving us vulnerable:

If you're not using a password manager, now's the time to download LastPass and get started today!

Sep 12, 2014

Were Your Google Credentials Leaked?

Early on Tuesday, Google announced that a potential 5 million usernames and passwords associated with Gmail accounts have been leaked. It is unclear how many of them are current vs. outdated credentials. According to Google’s blog post, “less than 2 percent of the username and password combinations might have worked.”

Visit our email look-up tool to see if your account was part of the leaked data.  

We strongly suggest that you take this opportunity to change your Gmail account password and generate a new, strong password using LastPass. To protect our users, those who have reused their LastPass master password as their Gmail account password have been temporarily deactivated. For your security, note that it is very important to never use your LastPass master password for other logins.

If you’ve experienced trouble with your account, please contact LastPass Support so we may assist you in reactivating your account and creating a new, stronger master password.

Be Secure,

Sep 8, 2014

Introducing LastPass for iOS 8.

Following Apple’s announcement of iOS 8 in June, we’ve been hard at work to bring the platform’s new security and authentication features to the LastPass mobile experience. Now with the impending release of the platform, we’re thrilled to announce the LastPass app will be available for iOS 8 with Touch ID integration and a Safari extension for automated web logins. This marks a tremendous shift in our ability to bring a seamless login experience to LastPass users on iOS.

The LastPass Safari Extension

iOS 8 now allows third-party apps like ours to integrate directly into Safari as an extension. Once enabled in the browser, this means LastPass can fill web logins instantly without a user ever leaving the browser. The extension gives direct access to the LastPass vault, so you can use stored logins or save new accounts in less steps.

Touch ID Integration

With the release of the iPhone 5S, Apple launched Touch ID, a new fingerprint identity sensor for authenticating on iOS. By touching the Home button, the sensor reads your fingerprint, allowing you to unlock your phone and authorize other actions on your device.

For added security, you also have the option to enable Touch ID to unlock your LastPass vault to access your stored accounts. While browsing in Safari and launching the LastPass extension, you can respond to the Touch ID prompt to authorize LastPass to fill a web login.

A New Mobile Experience

Together, the LastPass Safari extension and the Touch ID integration allow us to provide a more streamlined, secure authentication experience for our iOS users. We hope to see Apple continue in this direction and provide even more flexibility for third-party security providers on iOS.

You’ll be able to grab the LastPass app from the iTunes app store within the next few weeks, and we'll soon have demonstrations of how these new features will work in the LastPass app. Note the iOS app is part of our LastPass Premium service for $12 per year.

Aug 28, 2014

Worried About the JPMorgan Chase Hack? 6 Steps to Take Now

News broke that US law enforcement is investigating a hack of JPMorgan Chase and four other financial institutions. Though it remains unclear what was compromised and how it affects consumers, the sophisticated cyber attack appears to have resulted in the loss of sensitive information, including account information.

Given the potential scope of the hack, our  recommendation is to be as proactive as possible. Take action now and practice good online security habits so you can mitigate the fallout from this cyber attack and prepare yourself moving forward.

Here are 6 actions we recommend taking today:

Change Your Passwords, Now.  

Go directly to the websites of any financial institution where you have an online account, starting with JPMorgan Chase if applicable, then any banks, investment accounts, employee benefit accounts, and others that house financial assets. Use the password generator in LastPass to create a new, strong password for each of these accounts, saving the new password to LastPass as you submit the change on the website.

Use a Unique Master Password for Your Password Manager.  

Your LastPass Master Password should be a unique password that you do not reuse on any of your other online accounts. If you’ve used your Master Password for other accounts, now’s a good time to change it.

Avoid Clicking Questionable Links. 

Phishing attacks are a common way to get you to divulge sensitive information. If you receive an email to reset your bank’s password, just open a new tab or window in your browser and enter the web address for your bank, logging in there directly rather than clicking through the link.

Check Your Security Challenge Results. 

The LastPass Security Challenge gives you a comprehensive report on your password hygiene so you know where to take action. Located in the Tools menu of the LastPass browser icon, the Security Challenge alerts you to any weak or duplicate passwords, and tells you if any of your accounts were known to be affected by hacks of other online services - including this latest hack of JPMorgan Chase.

Enable Credit Monitoring. 

There are a range of credit monitoring and identity fraud detection services on the market. In LastPass, you can set up a Form Fill Profile and enable free credit monitoring alerts to receive real-time notifications if there’s any activity on your credit report. Should you be alerted to suspicious activity, you can request your free annual credit report.

Monitor Account Activity. 

Remain vigilant and watch for suspicious activity on your accounts, especially your financial, email, and social networking accounts. Watch for transactions you didn’t approve, emails you didn’t send, and posts you didn’t make- any of these could be an indication of unauthorized access to your accounts.

With an increasing number of cyber attacks affecting consumers, it’s more important than ever to be vigilant in protecting your identity and digital life, and to manage your passwords with the same care and diligence that you would the keys in your physical life.

Aug 26, 2014

LastPass Update for Android Prepares for Chrome Mobile Changes

We’re excited to announce that we have released an update to our Android app with improvements to our app autofill feature to accommodate changes that Google Chrome mobile will be rolling out in the next few weeks. For our Premium users, this means you will continue to be able to directly autofill logins in Chrome mobile!

For those of you who have been running Chrome Beta on your Android devices, you likely noticed that a recent update to the browser disabled LastPass’ ability to autofill directly into the browser and complete your logins for you. In an effort to employ stricter security policies, Google has moved to disable JavaScript injections on Chrome mobile, which LastPass relies on to automatically fill in your credentials as you log in to websites on the mobile browser.

After diligent work in investigating the new architecture, we have been able to update our functionality to be compatible with Google Chrome’s changes. LastPass will still be able to detect when you’re on a login page while browsing on Google Chrome, and you can continue to autofill usernames and passwords directly into the login fields with the LastPass prompts. You’ll continue to benefit from the ease of one tap to securely log into a site.

The update is now available in the Google Play Store. If you are interested in trying the LastPass Android app you can download it and try it out for 2 weeks for free. The upgrade to LastPass Premium is $12 per year for unlimited mobile sync and access to other Premium features.

Aug 25, 2014

Sharing Now Available in LastPass Android App

We’re excited to announce that LastPass for Android users will now be able to utilize the password and note sharing feature directly from Android devices. You will now be able to take full advantage of the secure sharing of sensitive information between LastPass users even while you’re on the go.

Partners, family, and friends co-managing online accounts, such as financial accounts or your TV streaming service, will be able to take advantage of easily sharing access to those logins.

This feature also allows you to send other LastPass users private information saved within LastPass Secure Notes. Passport numbers, PIN codes, bank account numbers, or any information stored and shared within a note are encrypted and securely synced.

From your vault, you can tap on a site or note name, and select "Share". For sites, you can choose whether or not you want the recipient to be able to view the password. You'll be prompted for the email address of the LastPass user you want to share with, and once sent the login or note will be synced between both vaults.

Think of it as a secure alternative to texting or emailing your sensitive personal information.

The updated Android app, which is included in the LastPass Premium service for $12 per year, is now available on the Google Play Store. Users can try the Premium service for free for two weeks.

Aug 15, 2014

The LastPass Team Accepts the Ice Bucket Challenge

The LastPass Team has accepted the ALS #IceBucketChallenge and donated in honor of our dear friend's father, George Vasiloff.

You may have seen the Ice Bucket Challenge making the rounds on the Internet and the media. In an effort to raise awareness for ALS, also called Lou Gehrig's disease, people are recording themselves getting doused with buckets of ice water and then challenging others to do the same.

We have challenged our friends at CustomInk and SpiceWorks! They have two business days to complete the challenge and donate to the ALS Association.

We also encourage our community to consider supporting this cause. ALS is a progressive neurodegenerative disease that affects nerve cells in the brain and the spinal cord. To learn more, visit

A big thanks to Capital Audio Post and the Mosaic District in Fairfax, Virginia for their help in completing this project.

This was a special experience for the LastPass Team and we're proud to have had the opportunity to participate in the cause!


Aug 12, 2014

Update on LastPass Connectivity Errors

At 3:57 Eastern Time this morning, one of the data centers that LastPass relies on went down. Our team immediately took action to migrate LastPass to run entirely on a different data center. As a result, many users experienced connection errors with the LastPass service, and has been intermittently unavailable throughout the morning. We have been engaged with our data center provider the entire time to resolve the issues. Please note this does not impact the security of your data.

We are doing everything we can to mitigate the impact and resolve the situation as quickly as possible, and apologize for the inconvenience caused. We strongly recommend users login through the browser extensions to access their vault, where most users should have access though some may still see warnings that they are in “offline mode”.

We will continue to update our user base and appreciate your patience.

Update: 1:28 pm EST

Though one of our data centers remains completely down, the service is generally stable and should be available to the majority of users (with the exception of login favicons). Some users may see connection errors but should still be able to access their data. We continue to work as quickly as possible to get the service back to 100%.

Update: 4:13 pm EST

Most users should now be able to connect to LastPass browser extensions and without errors, though favicons still may not sync. We continue to closely monitor the situation.

August 13, 2014: Post Mortem of Yesterday’s Outage

As noted in our original post, on August 12th, 2014 a data center that LastPass relies on went down around 4 am Eastern Time. Below, we have outlined the timeline of events as they unfolded at the data center and with the LastPass service at large.

We again sincerely apologize for the inconveniences caused, and want to assure our community we are moving forward stronger than before, as we remain deeply committed to the security and reliability of our service for our users.

Joe Siegrist
CEO of LastPass

Summary of Events

The majority of users were unaffected due to having proper redundancy in place to deal with the loss of a data center, as well as the built-in offline access via the LastPass browser extensions. However, during our efforts to scale at the secondary data center to ensure sufficient capacity at peak of the day, we inadvertently worsened the situation through human error. Our team certainly has takeaways from the experience and will be implementing changes going forward, as detailed in the concluding statements below.

We did receive a full RFO from our data center confirming that the BGP routing table issues affecting other companies yesterday played a role as well. For more, see:

Timeline of Events (EDT)

3:50 am - We detected extreme latency and packet loss between one of our data centers and most major networks, including inter-connectivity with the other data center.

3:54 am - Our monitoring system detected the situation as critical and paged two operators.

4:00 am - We contacted our data center provider regarding the issue we were experiencing with their service.

5:00 am - With no update from our impacted data center provider, we switched from two data centers to run entirely on the second data center and disabled the affected data center.

6:00 am - We noticed IPv6 has suddenly started working at the now-disabled data center, making it clear to us that major networking changes were being made.

7:00 am - Our report was escalated by the impacted data center provider.

8:00 am - We determined that the outage will likely be extended, so we executed on a plan to add some spare machines into load balancing at the second data center to ensure we would have plenty of spare capacity at the peak of the day.

8:15 am - We began to receive alerts of intermittent connectivity issues at our second (now only) data center.

8:30 am - A small percentage of users reported logout errors that prevented them from utilizing offline mode.

9:00 am - We continued trying to work with our impacted data center provider, but received no updates on the situation or information on resolution.

9:30 am - Latency and connectivity issues increased at the second (now only) data center, which we began investigating.

10:00 am - We received acknowledgement from our impacted provider indicating this is a widespread problem, and indicated they would reload the core routers. They noted that it may be an extended outage.

10:30 am - The impacted data center's network went completely down.

12:00 pm - We tracked down the source of an issue at the second data center, in which 3 machines we had added were running at 100Mbps instead of Gigabit (despite having Gigabit cards and being connected to Gigabit switches) and were network saturated.

12:45 pm - We resolved the issue with the 3 additional machines, and fully restored service still running on the second data center only, though favicons remained disabled.

2:15 pm - Impacted provider indicated they were fully online, though those machines remained unreachable for us.

2:30 pm - We authorized the impacted data center staff to reboot our networking equipment, with no effect.

3:30 pm - We discovered the underlying issue with why some users are being logged off immediately after login and resolved.

3:45 pm - Members of our team arrived at the impacted data center, and verified that our networking equipment was still down.

4:15 pm - We completed a swap to spare equipment, bringing the impacted data center back online.

8:45 pm - We completed testing and confirmed that replication to secondary data center looked good, and were fully restored with both data centers active again.

Conclusions & Lessons Learned

As a result of yesterday’s events, we have formed the following key takeaways and action steps:

  • We have moved our status page to be hosted outside our network, since it was inaccessible for periods of time.
  • In an effort to gather more detailed information for our community, we delayed communicating about the situation. Going forward, we will share what information we have, however sparse, and work to update the community from there, via the blog, the status page, our social accounts, and email where appropriate.
  • Our monitoring checks now verify port speed:
for i in `ip addr show | grep UP | egrep -v 'tun[0-9]+:|lo:' | awk -F ': ' '{print $2}'`;do echo -n $i ; ethtool $i | grep "Speed:"; done
  • We are considering moving to another data center provider.
  • In an effort to improve the situation, we worsened it through our actions, and we will be more cautious in taking preventative actions when running on a single data center.
  • We're moving to a hosted model for DNS that includes external service checks. 
  • Though we designed some systems to be 'non-critical', such as favicons for sites, we'll be improving our systems to minimize visual disruption during a massive outage.
  • A small number of users were impacted by an inability to access the service offline, we continue to investigate and test this.
  • We will be implementing more disaster and redundancy tests of our systems to better prepare for a catastrophic, single data center scenario.