LastPass and the Heartbleed Bug

With news breaking on Monday, April 7th that the Heartbleed bug causes a vulnerability in the OpenSSL cryptographic library, which is used by roughly two-thirds of all websites on the Internet, we want to update our community on how this bug may have impacted LastPass and clarify the actions we’re taking to protect our customers.

In summary, LastPass customers do not need to be concerned about their LastPass accounts. Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys.

What is the Heartbleed Bug?

The Heartbleed bug is a vulnerability in the OpenSSL cryptographic library that allows stealing of information normally protected by the SSL/TLS encryption used to secure the Internet. OpenSSL is open-source software that is widely used to encrypt web communications. SSL/TLS is what normally provides secure and private communication over the Internet via websites, email, IM, and VPNs. According to CNET, an attacker can exploit Heartbleed to essentially “get copies of a server’s digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.”

Heartbleed is being taken so seriously because OpenSSL is widely used, essentially no servers locally encrypt their data the way LastPass does, and it’s been exploitable for some time.

How does it affect LastPass?

LastPass utilizes OpenSSL for HTTPS/TLS/SSL encryption and we were therefore “vulnerable” to this bug. For anyone who was using this tool: to check whether LastPass was vulnerable, it would have shown that we were vulnerable until this morning, when we restarted our servers after the patched OpenSSL software update.

However, LastPass is unique in that your data is also encrypted with a key that LastPass servers don’t have access to. Your sensitive data is never transmitted over SSL unencrypted – it’s already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers’ encrypted data due to our extra layers of protection. On the majority of the web, user data is not encrypted before being transmitted over SSL, hence the widespread concern.

Also, LastPass has employed a feature called “perfect forward secrecy”. This ensures that when security keys are changed, past and future traffic also can’t be decrypted even when a particular security key is compromised.

Our next steps

This bug has been out there for a long time, so we have to assume our SSL keys could have been compromised. We requested a reissued certificate this morning, and plan to roll it out today, while we’ve already deployed the OpenSSL software update after restarting our servers this morning.

LastPass customers should not be affected by the certificate transition, we expect it to be seamless with no interruptions to service. 

Because other websites may not be encrypting data the way LastPass does, we recommend that LastPass users generate new passwords for their most critical sites (such as email, banking, and social networks) if those sites utilize Apache, Nginx or show as vulnerable to the Heartbleed bug. However, users should wait until their sites have replaced their certificates, with a start date after today (April 8th, 2014). For more information on replacing passwords with newly-generated ones, please see this article.

Thank you to our community for your vigilance, and we’ll provide further updates if there are any changes to the situation.

Update: April 8th, 4:46PM ET

We have built a tool to help LastPass users check whether other sites and services they use may have been affected by Heartbleed, you can check it out at:

The new SSL certificates for LastPass and Xmarks have been reissued as well.

Update: April 9th

LastPass now alerts you if the sites stored in your vault may be impacted by Heartbleed. See our new blog post for more details: 

Update: April 10th, 2:29PM ET

Many users are still concerned about what the Heartbleed situation means for their LastPass master passwords. To further clarify, we do not see a need at this time for LastPass users to update their master passwords. That said, if you would prefer to, there is no harm in doing so. We continue to update our LastPass Security Check tool to provide you the latest information regarding impacted sites. Thanks to our community for the feedback and input.


  • Anonymous says:

    does the last pass premium will support my built in fingerprint reader laptop which is come with the program digital personna personnal. does the last pass multifactor authentication biometric authentication work with my laptop built in fingerprint reader. my laptop is hp pavillion dv5 1104 tu model which i bought in 2009

  • Anonymous says:

    Why lastpass not use mobile number for verification if login pass was lost and the browser didnt find any known computer ip that we already login before ?
    what if we buy new laptop or pc what if is stolen or if drive was broken and why gmail confirmation with phone number combination half half enough security
    just type code from mobile plus code from gmail and you are done

  • Actually I’ve changed My windowse 7 and the remember account was enable for my chrome lastpass icon and unfortunately now I cant get into my account because the different message says you have to use the computer which you used the lastpass either I cant recover . Please help me I just really need to get into my account .


  • Anonymous says:

    I’ve noticed insecurity with Lastpass, over the last couple of weeks since I started using it on my laptop, connecting to my local machine I have found a virus attacking my e-mails, only Lastpass has my login information for my e-mail, I usually do not use the computer at all, so that only gives the possibility that it came from lastpass, and this is why I am uninstalling and leaving Lastpass.

  • Anonymous says:

    I noticed that the age of my password is only correct if I changed it after installing LastPass. If the password is old enough to be vulnerable, but LastPass imported it after it should have been secured, LastPass thinks that I am OK, calculating erroneously that my password was last changed on the day it was imported.

  • Anonymous says:

    how can I contact some one

  • My password no longer works in Opera 1162

  • Anonymous says:

    Perfect forward secrecy? can someone explain me what’s that and how it’s implemented by LastPass?. Tjank you.

  • Brian Preble says:

    It would be nice if this information was accurate. LastPass incorrectly lists GameSpot.Com and Elder Scrolls Online (an MMO) as vulnerable. Both were patched long ago, as stated on their respective websites.

    • Amber Gott says:

      It seems to be showing they were vulnerable but patched – please report any discrepancies to security[at] so we can update the tool with the latest information.

  • Anonymous says:

    Aside from banking passwords, I recommend changing hosting account passwords if you have your own domains and use your domain email address with any financial sites: someone with your hosting credentials can retrieve all your financial passwords.

  • Bruce Mohler says:

    Lastpass is reporting differing results for According to the Security Test, its status is “Wait”, but according to the too, the websites status is “fixed or unaffected”. It would be good to have these agree.

  • Don Reed says:

    I have unsubscribed from this site on this date 05.14.14 since the management is unwilling to delete the “anonymous” postings that are weird advertisements and other strange/bizarre messages that have nothing to do with the LastPast function.

    When I want bathroom graffiti redirect to my email box, I’ll re-subscribe.

  • Anonymous says:

    I think that I read that it does not do that with Safari yet, if that is the browser you are using……

  • Don Reed says:

    WOULD someone anyone in the Last Pass organization STOP sending out these ridiculously ghost-written, BS SCRIPTED “messages” from “Anonymous”?!

    THEY are EXACTLY like all the same planted fake Amazon Garcinia (SCAM diet weight pills) that account for MILLIONS of bogus, paid-for “product reviews” on Amazon.

    Last Pass: The ONLY thing you have going for you is your CREDIBILITY.

    These planted message instantaneously DESTROY it.

    Get it?

  • Don Reed says:

    “Hi Don: We have had so many comments on this post that you need to click “load more” several times at the bottom of the page to see all comments.”

    Hi Amber. Thanks for the response. Is it possible for Last Pass to create a “Open Up All Remaining Comments On One Page” check box/feature?

    If not now, if the Bleeding Heart fiasco still has legs, then in the near future?

    And if so, could it be displayed prominently in an eye-attracting color (red is fine) so that time is saved trying to find it if it exists?

    And who are all these fawning “Anonymous” authors?!

    Be well.

  • Don Reed says:

    Message was posted just now, warning Last Pass of irregularities.

    I received a copy of it sent from here to my Gmail box.

    I returned here and it doesn’t exist.

    What’s going on here?

    • Amber Gott says:

      Hi Don: We have had so many comments on this post that you need to click “load more” several times at the bottom of the page to see all comments.

  • Don Reed says:

    I keep getting message from this board.

    It’s now April 29th.

    The last one above on this board was posted on April 11.

    And the messages I’m getting are all signed by “Anonymous.”

    They look exactly like the MILLIONS of the voting ballot-box stuffing ghost-written product reviews on Amazon that are posted by robots using hit-and-run accounts that are opened and then abandoned, usually by the scammers who Doctor Oz confronted (video tape played today 04/28/14) in San Diego who have been claiming in the bogus reviews that Oz has recommended using the Garcinia diet pills..

    If anyone at Last Pass happens to be paying attention, you might want to look into this.

    This could be real trouble for you guys. And possibly even your clients, who, as you know, tend to be skittish and can disappear very rapidly.

  • Anonymous says:

    I am a premium member. All I ask is to change my info but can wait.

  • Anonymous says:

    I’m seeing the same thing a few others above are also experiencing. I changed my passwords for dropbox, netflix, tumblr and myfitnesspal sites when prompted and now 1-2 weeks later I’m being told to update again. was the initial “go update” premature or do we need to change it again?

  • Anonymous says:

    How do I update a website certificate?

  • Tim Curtin says:

    There seems to be something odd about the Heartbleed Bug section of the security checker. For instance, it just suggested I go update my Etsy password. I did, reran the checker… and it suggests I go update my Etsy password.


    There are other sites that I know I updated just after a new certificate was created, and are telling me to update again: 2 weeks YES (2 weeks ago) Go update!

    Then there are a few where I should obviously be in the clear: 1 week YES (2 weeks ago) Go update!

    Is there something causing the “Go update!” other than needing a more recent password than a site’s certificate?

  • Tony Alves says:

    Amber, I believe the @lastpass #heartbleed check has some unfortunate holes that could lead users to believe they are ok to change passwords when they are not. Go ahead and follow me on twitter and DM me an email.

  • I changed my passwords as indicated by LP Heartbleed checker but I get notices to change again them even I have done it after was indicated last week. Is a bug in the checker or really is needed? Thanks

  • Anonymous says:

    Thanks for all the support that the LP team is giving to all the users.
    Only a quick question: i’ve updated my Dropbox password 2 times as the security test keeps saying Go Update! and the certificate has been updated 2 weeks ago. Can you guys point me out on what the problem is? Thanks! :)

Get LastPass Now! Download