The company says no passwords were compromised and some alerts were sent in error
LastPass users have massively reported that they are receiving email notifications that warn them that their master passwords are compromised, and someone is trying to log into their accounts from ‘suspicious’ locations.
As many users stated, the email notification also mentioned that LastPass blocked the login attempt.
“Someone just used your master password to try to log in to your account from a device or location we didn’t recognize. LastPass blocked this attempt, but you should take a closer look. Was this you?”, the login alerts warned, according to the LastPass users.
In their attempt to understand whether their accounts were hacked, many LastPass users reported the issue via multiple social media platforms, including Twitter, Reddit, and Hacker News, and asked for help from other online users.
“I’ve just had a bizarre thing happen and wanted to see if the HN community could come up with some theories as to what happened. LastPass blocked a login attempt from Brazil (it wasn’t me). According to an email I received from LastPass, this login was using the LastPass account’s master password. The email doesn’t look like it’s a phishing attempt” wrote a user on Hacker News starting a threat to highlight the issue.
“What troubles me is that the master password was stored in a local encrypted KeePassX file. I can imagine that someone has my KeePassX file and the (completely different) password to this file. If that’s the case, I’m in a world of hurt. But are there any other possibilities? Is the email from LastPass accurate i.e. was the login attempt using my master password? Is there some LastPass extension installed on some computers still having a valid auth token allowing them to log in as me to LastPass? I’m really confused and scared” he added.
LastPass users started to respond within a few seconds, saying that they have also received similar email alerts. Some users reported that they changed their master passwords after receiving the warning alerts and within a few hours they received another alert.
LastPass says no passwords were compromised
In response to users’ reports, LastPass said that there is no evidence of a data breach and users’ accounts haven’t been accessed by bad actors.
“Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services,” said Gabor Angyal, Vice President, Head of Engineering LastPass.
“We quickly worked to investigate this activity and, at this time, do not indicate that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns” he added.
LastPass also stated that the security alerts were sent to a limited subset of the company’s users and said that some of these notifications were likely triggered in error.
“As a result, we have adjusted our security alert systems and this issue has since been resolved. These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to remember that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a user’s Master Password,” Gabor Angyal underlined.
LastPass also advised its users to prefer an encrypted password manager and only use complex, unique passwords, avoiding password re-use across different web pages, and also to prefer passwords bolstered by multi-factor to protect their accounts against credential stuffing.
Back in September 2019, the company fixed a security vulnerability in the password manager’s Chrome extension that allowed bad actors to compromise users’ credentials last used for logging into a site.