LastPass and the Heartbleed Bug

With news breaking on Monday, April 7th that the Heartbleed bug causes a vulnerability in the OpenSSL cryptographic library, which is used by roughly two-thirds of all websites on the Internet, we want to update our community on how this bug may have impacted LastPass and clarify the actions we’re taking to protect our customers.

In summary, LastPass customers do not need to be concerned about their LastPass accounts. Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys.

What is the Heartbleed Bug?

The Heartbleed bug is a vulnerability in the OpenSSL cryptographic library that allows stealing of information normally protected by the SSL/TLS encryption used to secure the Internet. OpenSSL is open-source software that is widely used to encrypt web communications. SSL/TLS is what normally provides secure and private communication over the Internet via websites, email, IM, and VPNs. According to CNET, an attacker can exploit Heartbleed to essentially “get copies of a server’s digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.”

Heartbleed is being taken so seriously because OpenSSL is widely used, essentially no servers locally encrypt their data the way LastPass does, and it’s been exploitable for some time.

How does it affect LastPass?

LastPass utilizes OpenSSL for HTTPS/TLS/SSL encryption and we were therefore “vulnerable” to this bug. For anyone who was using this tool: to check whether LastPass was vulnerable, it would have shown that we were vulnerable until this morning, when we restarted our servers after the patched OpenSSL software update.

However, LastPass is unique in that your data is also encrypted with a key that LastPass servers don’t have access to. Your sensitive data is never transmitted over SSL unencrypted – it’s already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers’ encrypted data due to our extra layers of protection. On the majority of the web, user data is not encrypted before being transmitted over SSL, hence the widespread concern.

Also, LastPass has employed a feature called “perfect forward secrecy”. This ensures that when security keys are changed, past and future traffic also can’t be decrypted even when a particular security key is compromised.

Our next steps

This bug has been out there for a long time, so we have to assume our SSL keys could have been compromised. We requested a reissued certificate this morning, and plan to roll it out today, while we’ve already deployed the OpenSSL software update after restarting our servers this morning.

LastPass customers should not be affected by the certificate transition, we expect it to be seamless with no interruptions to service. 

Because other websites may not be encrypting data the way LastPass does, we recommend that LastPass users generate new passwords for their most critical sites (such as email, banking, and social networks) if those sites utilize Apache, Nginx or show as vulnerable to the Heartbleed bug. However, users should wait until their sites have replaced their certificates, with a start date after today (April 8th, 2014). For more information on replacing passwords with newly-generated ones, please see this article.

Thank you to our community for your vigilance, and we’ll provide further updates if there are any changes to the situation.

Update: April 8th, 4:46PM ET

We have built a tool to help LastPass users check whether other sites and services they use may have been affected by Heartbleed, you can check it out at:

The new SSL certificates for LastPass and Xmarks have been reissued as well.

Update: April 9th

LastPass now alerts you if the sites stored in your vault may be impacted by Heartbleed. See our new blog post for more details: 

Update: April 10th, 2:29PM ET

Many users are still concerned about what the Heartbleed situation means for their LastPass master passwords. To further clarify, we do not see a need at this time for LastPass users to update their master passwords. That said, if you would prefer to, there is no harm in doing so. We continue to update our LastPass Security Check tool to provide you the latest information regarding impacted sites. Thanks to our community for the feedback and input.


  • Anonymous says:

    does the last pass premium will support my built in fingerprint reader laptop which is come with the program digital personna personnal. does the last pass multifactor authentication biometric authentication work with my laptop built in fingerprint reader. my laptop is hp pavillion dv5 1104 tu model which i bought in 2009

  • Anonymous says:

    Why lastpass not use mobile number for verification if login pass was lost and the browser didnt find any known computer ip that we already login before ?
    what if we buy new laptop or pc what if is stolen or if drive was broken and why gmail confirmation with phone number combination half half enough security
    just type code from mobile plus code from gmail and you are done

  • Actually I’ve changed My windowse 7 and the remember account was enable for my chrome lastpass icon and unfortunately now I cant get into my account because the different message says you have to use the computer which you used the lastpass either I cant recover . Please help me I just really need to get into my account .


  • Anonymous says:

    I’ve noticed insecurity with Lastpass, over the last couple of weeks since I started using it on my laptop, connecting to my local machine I have found a virus attacking my e-mails, only Lastpass has my login information for my e-mail, I usually do not use the computer at all, so that only gives the possibility that it came from lastpass, and this is why I am uninstalling and leaving Lastpass.