LastPass password manager suffers ‘major’ security problem

LastPass users are being advised to avoid the password manager while it addresses a “unique and highly sophisticated” security issue.

The popular service designed to help internet users protect their online accounts and, as such, is an obvious target for cybercriminals.

LastPass hasn’t revealed any further details about the problem, but Google’s Project Zero security researcher Tavis Ormandy, who discovered it, says it’s a serious one.

“It will take a long time to fix this properly, it's a major architectural problem,” he tweeted.

Mr Ormandy won’t provide further details about how the bug can be exploited until 90 days have passed since the company was first notified, as is Project Zero’s policy.

“We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties,” wrote LastPass in a blog post.

“So you can expect a more detailed post mortem once this work is complete.”

In the meantime, LastPass recommends users enable two-factor authentication on any sites that offer the technique and beware of phishing attempts, taking care to avoid clicking on suspicious links.

It also says users should launch sites directly from the LastPass vault, describing it as “the safest way to access your credentials and sites until this vulnerability is resolved”.

However, we’d recommend disabling LastPass’ browser plugins, just to be on the safe side.

Update 3 April: LastPass has released a fix that has been pushed to all affected browsers.

“Thus far, there have been no internal or external reports to indicate this bug has been exploited,” says the company. Further details of the issue are available on the LastPass blog.