Recently many LastPass users have reported that their master passwords have been compromised after receiving email warnings that someone has tried to use them to log into their accounts from unknown locations.
The email notifications They also mention that connection attempts were blocked because They were made from unknown locations in the world.
"Someone just used your master password to try to log into your account from a device or location we don't recognize," the login alerts warn. “LastPass blocked this attempt, but you should take a closer look. It was you? «
Reports of compromised LastPass master passwords are distributed through various social media sites and online platforms, including Twitter.
Most reports seem to come from users with outdated LastPass accounts, which means that they have not used the service for some time and have not changed the password. One of the assumptions made at the time was that the list of master passwords used could have come from a previous hack.
Some users claim that changing their passwords did not help them, and one user claimed to see new login attempts from various locations with each password change.
LastPass has investigated recent reports that they blocked login attempts and determined that the activity is related to some fairly common bot activity, in which a malicious actor or actor tries to access user accounts (in this case, LastPass). using email addresses and passwords obtained from third party violations related to other unaffiliated services ”.
“It is important to note that we have no indication that the accounts were successfully accessed or that the LastPass service was compromised by an unauthorized party. We regularly monitor this type of activity and will continue to take measures designed to ensure that LastPass, its users and their data remain protected and secure, ”added Bacso-Albaum.
However, the Interviewed users who received these warnings said their passwords are unique to LastPass and they are not used anywhere else. Which is why one Internet user wondered "So how did they get these unique LastPass passwords without LastPass violation?" »
While LastPass did not share any details of how the malicious actors behind these credential stuffing attempts proceeded, security researchers Bob Diachenko said it had recently found thousands of pieces of information.
Some of the LastPass customers who have received such connection alerts have indicated that their emails are not on the list of connection pairs collected by RedLine Stealer that Diachenko found.
In addition, he himself indicated that this was not the source of the attack:
“OK, I have received a few requests to check emails in the RedLine Stealer logs, and there are none. He had none on record. So apparently that was not the source of the attack (unfortunately, because that would have made the vector easier to understand) ”.
This means that, at least in the case of some of these reports, the malicious actors behind the acquisition attempts They have used other means to steal master passwords from their targets.
Some customers have also reported that they have changed their master password since they received the login warning, only to receive another alert after the password was changed.
“Someone tried to enter my LastPass master password yesterday, and then someone tried again a few hours after I changed it. What the hell is going on ? «
To make matters worse, customers who have attempted to deactivate and delete their LastPass accounts after receiving these warnings also report receiving a "Something went wrong" error after clicking the "Delete" button.
While LastPass has not been compromised, LastPass users are encouraged to enable multi-factor authentication to protect their accounts.
On its site, LastPass explains:
“Multi-factor authentication (MFA), with one-touch notifications (OneTap) on the mobile, codes sent by SMS or fingerprint verification, provides a second layer of security to confirm the identity of a user before granting them access. With MFA, administrators can institute authentication policies that adhere to security standards without infringing on employee time or work. LastPass MFA goes beyond traditional two-factor authentication to ensure that the right users access the right data at the right time.