Yesterday LastPass issued a security notice.

Surevine uses LastPass for some password management activities, including sharing credentials with some partners.

Partners are advised:

• We are aware of the issue
• We have issued advice to all our LastPass users
• All our LastPass users were already using strong master passwords
• All our LastPass user use multi-factor authentication

These controls should ensure that any credentials or other information exchanged via LastPass were, and remain, properly protected, assuming the investigation LastPass have conducted is accurate.

We do perceive a lasting, and increased risk, of phishing attacks from this compromise.

Whilst we recommend following official LastPass advice we note.

LastPass uses an “Extended Validation” certificate, so you should see the big green banner with “LastPass (Marvasol, Inc) [US]” and a green padlock with no errors or warnings when visiting the LastPass site.

LastPass send emails to confirm certain actions. In all cases we’ve seen the buttons and action links in their emails link directly to URLs starting “https://lastpass.com/“. They sometimes use their own redirector (“https://lastpass.com/s/“).

Users should always be wary of links which have other website names, or other HTML, or JavaScript like elements, as this can be an attempt to sneak content into the website being linked to. Most LastPass URLs seems to consist of simple assignments (e.g. “name=value&name2=value2”).

This is safe looking (“?”, “&” and “=” are common elements in URLs):

This is beginning to look suspect (note the “<” and “>”, and fancy words like “meta”, and “refresh”. “script” is a common bad word here too):

LastPass advise users to navigate to their site using the browser plugin, or native application where possible, as this reduces the risk of following links in emails. This approach also avoids having to learn what HTML and JavaScript look like, and has much to recommend it, especially for the less technical user.