LastPass bug could have exposed login credentials

LastPass bug could have exposed login credentials

Incidents like this are a reminder that while password managers are a very handy tool, they aren’t foolproof. You’ll still want to follow best practices for online security when using them such as being aware of phishing attacks, using multi-factor authentication, never reusing your master password, having different passwords for every online account and keeping your system free of malware.
Freemium password manager LastPass has patched a security flaw that could have allowed hackers to scrape login details from the last site you visited.

Tavis Ormandy, a security researcher from Google’s Project Zero team, responsibly disclosed the discovery late last month. To exploit the bug, a user would have needed to take a certain number of actions including filling a password with the LastPass icon then visiting a malicious site and being tricked into clicking on the page several times.

LastPass said it worked quickly to develop a fix and verified it with Ormandy. While any potential exposure was limited to Chrome and Opera browsers, LastPass said they deployed the update to all browsers out of precaution.

Fortunately, LastPass users shouldn’t have to do much as the client has likely already automatically updated itself by now. You can check your LastPass version number by navigating to Account Options -> About LastPass. If you’ve got v4.33.0 / v4.33.4 then you’re golden.