Security

LastPass Security Reports

Commitment to Security

Security is our highest priority at LastPass, including quickly responding to and fixing reports of material bugs or vulnerabilities. LastPass is in part able to achieve a high level of security for our users by looking to our community to challenge our technology. We appreciate the important work that the security research community provides and appreciate responsible disclosure of issues. Further, we believe that when the security process works as designed, we all benefit.

Note: If you are a LastPass user and you're concerned that your account has been hacked, compromised, or is otherwise at risk, please contact the LastPass support team. We will review and escalate your issue appropriately.

Submitting a Security Report

If you're a security researcher and believe you have found a security bug or vulnerability with LastPass, please follow these steps:

  1. Read the LastPass Security FAQs to make sure your concern hasn't already been addressed.
  2. Submit your report via our BugCrowd bug bounty program to report issues.
  3. Include a code sample and screencast demonstrating the exploit whenever possible.
  4. Clearly show how the bug or vulnerability impacts user data or LastPass systems.
  5. Allow us sufficient time to review and respond to your report, and coordinate with us for review and approval before any public posting of your findings.
  6. Refrain from accessing, modifying, or stealing user data, as well as disrupting the availability of LastPass (including a DDoS attack).

When reporting potential issues, please provide us enough information to recreate your findings. Information may include exact steps to reproduce the bug, any links you clicked on, pages you visited, URLs, and any affected account email addresses. Please include a code sample and either images or a video recording that clearly demonstrates the suspected exploit you have found.

To encrypt sensitive information, you can use this public key:

display public key

 

Note: If you are using automated tools to find vulnerabilities, please be aware that these tools frequently report false positives.

Responding to Reports

Once we receive a report, we will take steps to investigate the report and determine its severity. If we attempt to fix the identified issue, contingent on its severity, we may contact you for additional information. We will deploy necessary fixes to affected users based on the issue's severity and potential impact. We will close the report once an is resolved or otherwise determined to be closed.

Frequently asked questions

I have LastPass multifactor authentication enabled but LastPass filled my credentials into a site before I entered my multifactor token. Is this a security issue?

To validate your multifactor token, multifactor authentication requires that you have an Internet connection: if you do not pass us a correct multifactor token, LastPass will never release your encrypted data. However, LastPass also has an 'offline mode': it keeps a locally cached encrypted copy of your data on your local device so that you'll still be able to access your data even in the event that you do not have Internet access. When you log in to LastPass we first log you in offline to the locally cached copy of your data and then try to log you in online. As a result, you might experience cases where LastPass fills in credentials before you provide us your LastPass multifactor token. If you want to prevent this behavior, you can take the following steps:

  1. Log into LastPass
  2. Browser - LastPass Icon - Tools - Clear local cache
  3. Logoff LastPass
Click here for more information.

My Anti-virus Program Has Warned Me that LastPass Is a Virus/Trojan/Suspicious - Should I Be Concerned?

Most modern anti-virus programs today rely on a trust network to determine if a file represents a threat. As a result, despite signing all executable files we distribute using a digital certificate, every time we release a new version of our software it typically results in anti-virus programs flagging it as suspicious until it is distributed to thousands of users and/or until end users update their virus definitions. If you encounter this issue, the please follow the following steps:

  1. Re-download the problematic files from the LastPass Download page.
  2. Upload the suspicious files to Virus Total, a service that will analyze the files using dozens of the industry's top anti-virus engines. Unless the results indicate that several top anti-virus engines believe the files to be infected, it likely they are safe.
  3. Right click on the files and select 'Properties' from the context-menu, and then choose the 'Digital Signatures' tab. Make sure the files have a valid digital signature and have been signed by 'LastPass' and if necessary, view the certificate. This will assure you that the files were created by LastPass and have not been modified by a rogue 3rd party.
  4. If after the above steps you still believe that files are infected or were not created by LastPass, then please contact us at security@lastpass.com

Someone has shared a site with me and left 'Allow Recipient to View Password' unchecked, but I found a way to view the password.

As soon as a password leaves LastPass and gets filled as credentials in a browser, we can no longer protect it. As such, if a user uses LastPass to enter a shared password in, say, Google Chrome -- we can no longer guarantee its safety. It might be compromised by the browser, by a virus, or by the network, or even by the end website they are being sent to. This is also mentioned in our documentation.
The idea to use LastPass to protect shared credentials is much more broad: if you use LastPass to share passwords with employees or friends, and thereafter revoke the credentials, LastPass gives you the ability to thereafter quickly and easily update that password. So while we can't protect shared credentials fully outside LastPass (because our reach does not extend to or past the browser), we can help secure them by allowing you to change them quickly and then have that change automatically propagate to everyone else you shared with.

Quantcast