Popular password manager LastPass is warning about a security vulnerability in its browser extension. Based on the wording it appears the vulnerability exists when launching password protected sites via the extension (as opposed to looking up data).
LastPass had a reported 7 million users when they were acquired by LogMeIn in 2015.
The company had a prior security scare in June 2015 security breach which resulted in the resetting of most Master Passwords.
Using a reputable password manager combined with two-factor authentication is widely regarded as your best defense against hackers.
From the LastPass site:
Over the weekend, Google security researcher Tavis Ormandy reported a new client-side vulnerability in the LastPass browser extension. We are now actively addressing the vulnerability. This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post-mortem once this work is complete.
In the meantime, we want to thank people like Tavis who help us raise the bar for online security with LastPass, and work with our teams to continue to make LastPass the most secure password manager on the market. And we want to offer our users with a few steps they can take to further protect themselves from these types of client-side issues.
Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.
Two-Factor Authentication on any service that offers it – Whenever possible, turn on two-factor authentication with your accounts; many websites now offer this option for added security.
Beware of Phishing Attacks – Always be vigilant to avoid phishing attempts. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies. Take a look at our phishing primer.