Was LastPass at risk from the OpenSSL DROWN attack?
No, LastPass was not at risk from the DROWN vulnerability and users do not need to be concerned about the security of their data.
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) is a vulnerability discovered by academic researchers in February 2016 that affects HTTPS and other services that rely on SSL and TLS. The HTTPS and SSL protocols are what allow you to browse securely on the Internet without third-parties being able to read your sensitive communications. The DROWN vulnerability would allow attackers to break the encryption of those protocols and read or steal sensitive information like passwords or credit card numbers.
However, LastPass does not support SSLv2, the version of SSL affected by the DROWN vulnerability. Users can confirm our setup by referring to a thid-party audit here: https://www.ssllabs.com/ssltest/analyze.html?d=lastpass.com&s=22.214.171.124&hideResults=on showing that SSLv2 is disabled. The LastPass security team also regularly monitors for these threats and applies all software patches in a timely manner to protect our services.