LastPass reacts quickly to fix vulnerability

Breached password management site fixed in short order

Password management firm LastPass has reported that it has fixed a vulnerability that allowed the collection of registered email addresses from its site.

It claimed that it took the company just over two hours from the initial notification of the breach to develop, deploy and test the solution.

LastPass wrote on its blog: "Our logs indicate that there's no sign of this being successfully utilised (beyond the person who found it). We've made a number of changes to improve security on the web site and help reduce the chance of a recurrence of this kind of issue."

Graham Cluley, senior technology consultant at Sophos and user of LastPass services said: "The good news is there weren't any passwords compromised, but there was a vulnerability that meant people could get email addresses. What I find refreshing here is that they've been very open about it on their blog, explaining what measures they're taking to make their system more secure."

LastPass allows its members to store their login credentials in an encrypted environment, accessible through a master password.

"You have to be very careful about the master key, which unlocks everything else," said Cluley. "You should only access it from computers you know to be secure."