With news breaking on Monday, April 7th that the Heartbleed bug causes a vulnerability in the OpenSSL cryptographic library, which is used by roughly two-thirds of all websites on the Internet, we want to update our community on how this bug may have impacted LastPass and clarify the actions we’re taking to protect our customers.
In summary, LastPass customers do not need to be concerned about their LastPass accounts. Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys.
What is the Heartbleed Bug?
The Heartbleed bug is a vulnerability in the OpenSSL cryptographic library that allows stealing of information normally protected by the SSL/TLS encryption used to secure the Internet. OpenSSL is open-source software that is widely used to encrypt web communications. SSL/TLS is what normally provides secure and private communication over the Internet via websites, email, IM, and VPNs. According to CNET, an attacker can exploit Heartbleed to essentially “get copies of a server’s digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.”
Heartbleed is being taken so seriously because OpenSSL is widely used, essentially no servers locally encrypt their data the way LastPass does, and it’s been exploitable for some time.
How does it affect LastPass?
LastPass utilizes OpenSSL for HTTPS/TLS/SSL encryption and we were therefore “vulnerable” to this bug. For anyone who was using this tool: http://filippo.io/Heartbleed/#lastpass.com to check whether LastPass was vulnerable, it would have shown that we were vulnerable until this morning, when we restarted our servers after the patched OpenSSL software update.
However, LastPass is unique in that your data is also encrypted with a key that LastPass servers don’t have access to. Your sensitive data is never transmitted over SSL unencrypted – it’s already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers’ encrypted data due to our extra layers of protection. On the majority of the web, user data is not encrypted before being transmitted over SSL, hence the widespread concern.
Also, LastPass has employed a feature called “perfect forward secrecy”. This ensures that when security keys are changed, past and future traffic also can’t be decrypted even when a particular security key is compromised.
Our next steps
This bug has been out there for a long time, so we have to assume our SSL keys could have been compromised. We requested a reissued certificate this morning, and plan to roll it out today, while we’ve already deployed the OpenSSL software update after restarting our servers this morning.
LastPass customers should not be affected by the certificate transition, we expect it to be seamless with no interruptions to service.
Because other websites may not be encrypting data the way LastPass does, we recommend that LastPass users generate new passwords for their most critical sites (such as email, banking, and social networks) if those sites utilize Apache, Nginx or show as vulnerable to the Heartbleed bug. However, users should wait until their sites have replaced their certificates, with a start date after today (April 8th, 2014). For more information on replacing passwords with newly-generated ones, please see this article.
Thank you to our community for your vigilance, and we’ll provide further updates if there are any changes to the situation.
Update: April 8th, 4:46PM ET
We have built a tool to help LastPass users check whether other sites and services they use may have been affected by Heartbleed, you can check it out at: https://lastpass.com/heartbleed
The new SSL certificates for LastPass and Xmarks have been reissued as well.
Update: April 9th
LastPass now alerts you if the sites stored in your vault may be impacted by Heartbleed. See our new blog post for more details: https://neoblog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are-affected-by-heartbleed/
Update: April 10th, 2:29PM ET
Many users are still concerned about what the Heartbleed situation means for their LastPass master passwords. To further clarify, we do not see a need at this time for LastPass users to update their master passwords. That said, if you would prefer to, there is no harm in doing so. We continue to update our LastPass Security Check tool to provide you the latest information regarding impacted sites. Thanks to our community for the feedback and input.