On Wednesday, January 3rd, two security bugs were observed by the security community. Now known as “Meltdown” and “Spectre,” these bugs affect most central processing units (CPUs), and therefore, many computer users.

In summary, we are updating LastPass systems with the latest applicable and available patches and advise our customers to do the same while continuing to practice smart cyber hygiene.

What are the Meltdown and Spectre bugs?

The Meltdown bug may allow programs to access computer memory that they would normally not be allowed to access. Anyone running an unpatched operating system may be at risk. For an attacker to even be able take advantage of this vulnerability, he/she must first find an opportunity to run malicious code on the targeted system. As of now, this is known to affect Intel processors.

The Spectre bug breaks the isolation between different applications, which may potentially allow an attacker, under a limited set of circumstances, to access unauthorized data. Spectre impacts a larger number of systems and is harder to mitigate, but is also harder to exploit. As of now, this is known to affect Intel, AMD and ARM processors.

We are actively monitoring for updates by chip makers and operating system providers and applying applicable patches to our own machines as they become available, and recommend users do the same.

How is LastPass affected?

For either vulnerability, malicious intent would need to occur for them to be exploited. When it comes to Meltdown, LastPass infrastructure is heavily fortified, protected by many layers as detailed in our technical whitepaper. Due to our zero-knowledge security model, in which LastPass does not receive the master password, passwords and other sensitive data stored in the encrypted vault should remain safe.

What you can do

We are actively tracking this issue and are patching systems as applicable updates become available. We’ll continue to provide updates to our users as warranted.

At minimum, immediately apply updates when they become available. As a best practice, after applying the updates, we recommend that you update your LastPass master password and your most important passwords (email, financial, social media, and medical) to mitigate the risk of these vulnerabilities.

As always, we encourage users to follow general best practices for online security such as: