LastPass Security



LastPass Security Response

We Value Your Concerns

Our business is keeping customer information both private and secure.

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at LastPass. Every day new security issues and attack vectors are created. LastPass strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We also work with highly talented members of the LastPass community who offer their expertise to help improve the product for everyone.

If you have discovered a potential security issue with our of our products, we kindly ask you to let us know as soon as possible.

Concerned about the Heartbleed Bug?

Please see our blog post for information on how this impacts LastPass and how we're addressing it.

How To Report Security Issues

When reporting potential issues, please try to be as thorough as possible providing us enough information so that we can recreate your findings.

1. Read the LastPass Security FAQs
Read the LastPass Security FAQs to make sure your concern hasn't already been addressed.

2. Identify The Type of Your Security Concern
We have two types of security reports. Both types will be answered promptly, but it is important that you select the right one in order to receive a timely answer to your issue.

If your security issue affects only your account or yourself, then it is classified as a 'Locally Impacting Security Concern'.

If, on the other hand, your security issue can impact all or many LastPass users, then it is classified as a 'Broadly Impacting Security Concern'.

Reporting Locally Impacting Security Concerns
Submit a new support ticket.

Be sure to select 'I Want To: Report a security issue'.
We'll respond back to you within the support ticket unless the issue is of a sensitive or urgent nature, in which case we'll email you directly.
Please give us 48-72 hours to review your issue in depth.

Reporting Broadly Impacting Security Concerns
Email us directly at security@lastpass.com.
If the information is sensitive, please encrypt it accordingly with the following public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)

mQINBFRbmIEBEADRJNnM4zOZAXZa+STtZU1P84DIaHuvkwTIvwJgM8uEvsPPte8b
RGGFsH8TgosVEORXtPlumd+kNtZvncpMIE0FBnQ4NmX+guHKG/mVE9mDmRn5Qxad
TCZBZ/t/G0ZCZHZvdNyJjKPDq1SyN2ZeXPg+yfZkE8mQNS27NjFw2dtE/fzvBHaA
+OcH5Lj5Jyhd2oKNGIO9ipknmOb3uSYY+KZoTHUAo95J4PKJLAk6EK6d3vGhyNOZ
ssOu/lwq7FbNcahuP0WN+Hot1qxUwfGiOHJNEyz9Dq/kDMfgulANap+wkDtzrqN8
PhjkoZcYEW3iRlAybNS2g7mOjqRi1223zR6lEWjJ7alk08Ae6ahoKO1ZNYAGos5z
R+G2Vs6rN6omjYQEjZSUcanlr+StQFmN36GwxjAFLVFqYTnqB4BW6yuA5DJUxbJ0
Cr/b8GLwXYVTmZzkj3PVuvgVf68s4bK+fGkoqdLP9SVBKePGzUCWcLIv0+Jr4I8n
or9rvVXUxnzzVBXK/isrGclyVxFmIGNsrM+Apcs6Jk6JDDGb+VLcgcmcSShPsLbr
LvheOUeA9dqBmcnnJiQorJ5ht8xGe8hpy150BZVaU2CJkj5R7IMle2SNBrlaA+FX
3R9oSRaFYtmlcayqmnlPEWR5x7mhKuawuIhffvOefikT0YApQI8gITRp2wARAQAB
tC5MYXN0UGFzcyBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBsYXN0cGFzcy5jb20+
iQI9BBMBCgAnBQJUW5iBAhsDBQkJZgGABQsJCAcDBRUKCQgLBRYDAgEAAh4BAheA
AAoJEDPqE9cwQ3hUqK0QAKTSyv60uESScgabtjeHEo7GsWWnDEPZprTZaSBrhPq5
4XQWFk7e9fRwe/guucJt1A6CGf0Kpnc1SBHfMUV6Z91sV4syE5p/o0gW3gAlmxIl
T6zSJUvHVlxN1f+9Ae3WmlwgMA/L5zzBOGk2Cm4OedBVQmf+KZGwq/5CSwrX2k+S
h8xGgDNO8zv7+eNSBS7556pcBGRY1EQ/FvPpL/ACCI7fDSAj5rYOn94Kq8ebdeBZ
X8n9mvREKEbSmSkU/+t8cxWOIMPT0LUXI4Ev8Bn+c5KPKUx3IS+hMSHThWOQJcWL
CSOss7gywby02ejSDRfQ3Z4pMA2JaBrNu2GiBmyXzYLFKsoIN2Wlvzyo54mul2LV
alrEjwNSk2jxnMsCkaQZyBwnGH/nxzAWalLfAaU4Yk48sT0//Iep/i0Psz+X5btg
SZr/jJcQuy6SZpM2yqsDW6+eYMUtqGp89Lez0JauMrxL/2c3kypw3/QVB88ava4P
1f+dFtV23eNIFKQhxfp9V8ZVcxxWfsPk4roF3SV1BROr9zpa2h6rrOXSrmgbGQpI
TvEKLInuIcB8QzuuswkX5Lmg35mKGgNwj/QKRfmPn71YkaEpJ2ZLdGJPQ3028ozX
fdQ757dAGovq0lLnr1sI5ez+QhAAtubprd1lhDKW0TWjif0iOpLHthZUixp+2Up8
uQINBFRbmIEBEAC+hazKNyvlwSmV2tWK1UkpYDmzDdZrfUH8RcTQRbES23tB+rAY
XCJ7XIWDFdaobmmnP70PJ6rRzvfkvY4jazi/fc84vIKanh1K0o+/9LpaBkrtbZ40
uhTsHFXDqnpnc7mEbkWaABbsD3ggPgWynnQordhXtyBGSpkMaUk2luV/Ct5GVJog
Q38D87sveVIEckpBRom2GEkQUqXQdt+WCutL6bRnI0LoebPry0wlim9ZYOxBFaJr
DwRtWqcLmdUmx+SCpiAmKCG+qfrYoL3LJrYcJjvskRXowJOC2BS659nhmi4bBptz
H1vRDtttejBi2h/KRf+epbrkF1ES7NO/A5/zaH3B8BLbFLwjOQlJ9SwpgM1aGggD
CQyJ2aGfqC4iffro0L8673mx/7mgT5DJsO6duXRZP7ty6aF765Fn/Reh4g8cZhBz
XftzuLqd6Wb7ET0BxkDOeOz4b87WzQ7d1iz2qTqOXwyaxANJAINDyKm9b7oTs7k9
2cZc3N1dyyegCROVAWDS58zUSihyl7Cmq5V8uRUpz04jhe4v+IOK4KdzeMNwe/Lo
l4sssoBbmzj8Xet2TriEY0oMRh5hQHWSghLU7BrZvS4qEDDabJHGThym332MdDkQ
NezwxYt9SeiFwRyz2onUiBNzww6nFpuVv8xCYVYURUAv5eaVoHq9G6W82QARAQAB
iQIlBBgBCgAPBQJUW5iBAhsMBQkJZgGAAAoJEDPqE9cwQ3hUC0cQAKCemgzjGXK7
vwqExQTgKbytbS3+Diie+9yIcCXv/EYViFVatnjHp1tltpOcwUvaVBpJ8Vxj0p+y
y9V5cZA1I1jTcVxnV5Qnje+Xw4mgpN1ooWC3ZKJVZ/TTW95IjV19PbsWYwM+FsGs
Dm7GgjP+6/XqSg0EXBplCPueOQjRhtwtbxUIw6p3DF2Ueska+UdCNvE0wjLZirNM
h9jUn3strA/tQ2MNluF7u/di15Z3W4wHdeXx3JV4ccjxFDPX27aP7E/+vRMogc1u
aPzC/Qjhm4PrZuo1UYI4ZveRjZlpTd4WT5/kD+zVkttv9MRiH8eS6UpDBTOVDkmh
2FW0EiacCEP01Ws5iDeF4WGcBhdXoHpWw+Aj/0HE7Tz1kfzAsMUhlXCNtKB6BEvX
YLaEQyRJwHC8vfriZ6uTxfz1Kkyr6/iRxLKCfRmu3DhpC/H8bpKcEgslqseQ3PlT
2K70m1xBcbkrQRAZkjZ9kbgny28ogKzYHrmeazrLCVPGLm9DxGvjTG9VCpVEdrg9
cbY3ajrHSgXEXh9VlTmIcrs2z9JgLD65V0wN0N8yKA9cBwUb/b77WIwdwQ1crQ+M
Q9ZsNE+rzOhLgnSRHInrbM+prjI8ejxOj3UbAJWhZwqwPV7eVUBwl5hrzG6HN3E9
G+0VDkYx8QGax0PeiKAFd0Dr5+PNyjTr
=ZmTr
-----END PGP PUBLIC KEY BLOCK-----

We'll analyze the information you send and if we feel it's genuine we'll respond back to you directly within a few hours.
If you don't hear back from us within 24 hours, and didn't receive a non-delivery-notification for your sent email, then it's likely that we don't have enough information to deem whether you have found a legitimate exploit. Please try resubmitting your findings but make sure you include a code sample and screencast that clearly demonstrates the exploit you have found. If you are using automated tools to find vulnerabilities, please be aware that these tools always report false positives. Most times, it's insufficient to simply find the vulnerability and point us to an FAQ on the subject: you should show us how it can be used to impact user data or our systems. As an example, if you find a clickjacking vulnerability please clearly show us what end user sensitive action the end user can be tricked into performing.

What Happens After I Submit a Security Concern?

Once you have submitted a security concern, here's what we promise to do on our end:

  1. We'll immediately take steps to identify if the concern is a legitimate issue and determine its severity.
  2. If we require more information, we'll contact you directly. Otherwise, we'll try to fix the issue potentially with your assistance. While fixing the issue will generally be completely in short order, deploying the fix to affected customers will be done based on the issue's severity.
  3. Once the issue is fully resolved to both your and our satisfaction, we'll thank you for your discovery.



LastPass Security FAQs

I have LastPass multifactor authentication enabled but LastPass filled my credentials into a site before I entered my multifactor token. Is this a security issue?

To validate your multifactor token, multifactor authentication requires that you have an Internet connection: if you do not pass us a correct multifactor token, LastPass will never release your encrypted data. However, LastPass also has an 'offline mode': it keeps a locally cached encrypted copy of your data on your local device so that you'll still be able to access your data even in the event that you do not have Internet access. When you log in to LastPass we first log you in offline to the locally cached copy of your data and then try to log you in online. As a result, you might experience cases where LastPass fills in credentials before you provide us your LastPass multifactor token. If you want to prevent this behavior, you can take the following steps:

  1. Log into LastPass
  2. Browser - LastPass Icon - Tools - Clear local cache
  3. Logoff LastPass

Click here for more information.

My Anti-virus Program Has Warned Me that LastPass Is a Virus/Trojan/Suspicious - Should I Be Concerned?

Most modern anti-virus programs today rely on a trust network to determine if a file represents a threat. As a result, despite signing all executable files we distribute using a digital certificate, every time we release a new version of our software it typically results in anti-virus programs flagging it as suspicious until it is distributed to thousands of users and/or until end users update their virus definitions. If you encounter this issue, the please follow the following steps:

  1. Re-download the problematic files from the LastPass Download page.
  2. Upload the suspicious files to Virus Total, a service that will analyze the files using dozens of the industry's top anti-virus engines. Unless the results indicate that several top anti-virus engines believe the files to be infected, it likely they are safe.
  3. Right click on the files and select 'Properties' from the context-menu, and then choose the 'Digital Signatures' tab. Make sure the files have a valid digital signature and have been signed by 'LastPass' and if necessary, view the certificate. This will assure you that the files were created by LastPass and have not been modified by a rogue 3rd party.
  4. If after the above steps you still believe that files are infected or were not created by LastPass, then please contact us at security@lastpass.com


Click here to view a list of security researchers and companies that have contacted us directly to work with us to fix security flaws safely.