Security Notice: Heartbleed Bug

Yesterday, a security vulnerability was discovered that has been colloquially called the "Heartbleed Bug."  You can read about the vulnerability here (, but in laymen's terms: the vulnerability allows attackers to copy a web server's private key and decrypt (current and previous) communication received by the server - to include passwords.  XKCD does a fantastic job of explaining it below: 

XKCD "How Heartbleed Works"

This vulnerability has apparently been in live for two years, is untraceable in the log files, and it is uncertain how or if this vulnerability has been exploited.  It is recommended that users change their passwords for web services (think: Amazon, Google, Twitter, etc) after the web services have upgraded their SSL version; and, Steven Vaughan-Nichols of ZDNet would also recommend clearing your browser's cache afterwards..  For more information on how SSL works, the Washington Post has a fantastic write up on SSL, and heartbleed in very non-technical terms.

For more information on how general users should respond, LastPass had this to say on the issue:

However, LastPass is unique in that your data is also encrypted with a key that LastPass servers don’t have access to. Your sensitive data is never transmitted over SSL unencrypted - it’s already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers’ encrypted data due to our extra layers of protection. On the majority of the web, user data is not encrypted before being transmitted over SSL, hence the widespread concern. 

Also, LastPass has employed a feature called “perfect forward secrecy”. This ensures that when security keys are changed, past and future traffic also can’t be decrypted even when a particular security key is compromised. 

Because other websites may not be encrypting data the way LastPass does, we recommend that LastPass users generate new passwords for their most critical sites (such as email, banking, and social networks).

We have built a tool to help LastPass users check whether other sites and services they use may have been affected by the Heartbleed bug, and you can check it out at:

Web server administrators are recommended to upgrade to version 1.0.1g (preferred) or disable the bug until an upgrade is possible through the use of -DOPENSSL_NO_HEARTBEATS and revoke and request new certificates to fix the vulnerability.