LastPass members have reported multiple attempted logins using correct master passwords from various locations, but the company has alternately said that the recent attacks are a result of shared passwords gleaned from breaches of other services, or possibly warnings sent in error.
Multiple users in a Hacker News forum have shared that their master passwords for LastPass appear to be compromised. It is unknown how the passwords have leaked out, but a pattern has emerged amongst users.
The majority of reports appear to come from users with outdated LastPass accounts, meaning they haven't used the service in some time and haven't changed the password. This indicates the master password list being used may have come from an earlier hack.
Some users claim that changing their password hasn't helped, with one user claiming that they saw new login attempts from various locations with each password change. It is unclear how severe the password leak may be, or if LastPass is currently under attack.
LastPass has responded to AppleInsider's request for more information.
"LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted 'credential stuffing' activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services," LastPass spokesperson Meghan Larson told us. "It's important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure."
We can confirm that there is some kind of organized effort to break into LassPass vaults. Since publication, we've had confirmation from readers and colleagues all over the globe about login attempts.
A heads up for my friends, LastPass password manager isn't secure at the moment. There's a certain rush to hijack all data using master passwords as we speak.
— zodttd (@zodttd) December 28, 2021
Overnight, LastPass provided AppleInsider with another statement on the matter.
"As previously stated, LastPass is aware of and has been investigating recent reports of users receiving e-mails alerting them to blocked login attempts.
"We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user's LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns.However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.
Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
These alerts were triggered due to LastPass's ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass' zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users' Master Password(s).
We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure."
AppleInsider recommends that users change their passwords, enable two-factor authentication, and keep an eye out for suspicious login attempts. There is also the option of removing passwords from the service and migrating to 1Password or Apple's iCloud Keychain.
LastPass is a free password manager available across desktop and mobile devices. There have been security concerns about the Android version of the app and its use of trackers.
Update 12/28 11:34 AM ET: Updated with more reports of an organized effort to penetrate LastPass repositories.
Update 12/28 12:10 PM ET: Updated with statement from LastPass.
Update 12/29 6:29 AM ET: Updated with another statement from LassPass.
11 Comments
Hehe....people put their passwords lists in the cloud.....
This has always been my issue with LastPass and all other online password manager of this nature. The same goes for browser-based vaults that sync between devices, include Apple's iCloud Keychain.
I can't pimp 1Password enough in this regard.
Does the Secret Key that 1Password utilizes for online accounts count as "a thing you know" to you? It's certainly "a thing I have" but I absolutely don't know it. As it's explained in their blog post, just having the user's URL, name, and password will not grant you access if you were to somehow hack into 1Password's server to steal their users's private values.
https://blog.1password.com/what-the-secret-key-does/