Vendors and administrators scramble to patch OpenSSL vulnerability

Steve Ragan

Reaching Impact:
In a note to customers, LastPass, the company behind the popular password management software, admitted they were vulnerable to the Heartbleed issue, but that the information stored on their servers wasn't.

"LastPass is unique in that your data is also encrypted with a key that LastPass servers don't have access to. Your sensitive data is never transmitted over SSL unencrypted - it's already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers' encrypted data due to our extra layers of protection."

However, LastPass still encouraged customers to generate new passwords for important websites, just to play it safe. But, the company added that they should wait to do so until after the potentially vulnerable website has changed their certificates.

"Because other websites may not be encrypting data the way LastPass does, we recommend that LastPass users generate new passwords for their most critical sites (such as email, banking, and social networks) if those sites utilize Apache, Nginx or show as vulnerable to the Heartbleed bug. However, users should wait until their sites have replaced their certificates, with a start date after today (April 8th, 2014)."

A good re-cap of the situation, including steps to take and mitigating factors, can be viewed here.

Previous Page  1  2