LastPass Denies that Master Passwords Were Compromised
LastPass members have reported multiple attempted logins using correct master passwords from various locations. These reports were first published by Apple Insider. LastPass is popular password manager that stores encrypted passwords online.
The data points of the possible data breach were posted on a Hacker News forum, saying their master passwords for LastPass appear to be compromised. The majority of reports came from users with outdated LastPass accounts, meaning they haven’t used the service in some time and haven’t changed the password.
However, LastPass says there’s no evidence of a data breach following these reports. The password manager maintains that it was never compromised. LastPass has responded to AppleInsider as well, saying:
LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted ‘credential stuffing’ activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services,” LastPass spokesperson Meghan Larson told us. “It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.
Later on, LastPass provided AppleInsider with another statement on the matter, sharing more information about what’s going on.
As previously stated, LastPass is aware of and has been investigating recent reports of users receiving e-mails alerting them to blocked login attempts.
We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns.
However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users’ Master Password(s).
We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure.
 Chase Sapphire Preferred® Card
Chase Sapphire Preferred® Card is the old king of travel rewards cards. Right now
bonus_miles_full
Learn more about this card and its features!
Opinions, reviews, analyses & recommendations are the author’s alone, and have not been reviewed, endorsed or approved by any of these entities.
I left LastPass last year and it was the best move ever. LastPass is not secure or trustworthy. I recommend Bitwarden. Moving to Bitwarden was very easy as you can export your LastPass data and import into Bitwarden.
only a fool would leave all his passwords online or in a browser. try keepass
So it seems like a good time to update your LastPass password. It’s funny because it’s the only password I don’t store anywhere else because it’s like the keys to the kingdom.
Or, ensure you have two factor authentication enabled. Then even with the master password, a bad actor can’t get in.