LastPass master passwords may have been compromised

Status
Not open for further replies.

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,018
LastPass members have reported multiple attempted logins using correct master passwords from various locations, indicating a possible data breach at the company.

Multiple users in a Hacker News forum have shared that their master passwords for LastPass appear to be compromised. It is unknown how the passwords have leaked out, but a pattern has emerged amongst users.
The majority of reports appear to come from users with outdated LastPass accounts, meaning they haven't used the service in some time and haven't changed the password. This indicates the master password list being used may have come from an earlier hack.

Some users claim that changing their password hasn't helped, with one user claiming that they saw new login attempts from various locations with each password change. It is unclear how severe the password leak may be, or if LastPass is currently under attack.

There has been no official statement from LastPass as of yet. AppleInsider has reached out to the company for clarification.
AppleInsider recommends that users change their passwords, enable two-factor authentication, and keep an eye out for suspicious login attempts. There is also the option of removing passwords from the service and migrating to 1Password or Apple's iCloud Keychain.

LastPass is a free password manager available across desktop and mobile devices. There have been security concerns about the Android version of the app and its use of trackers.
 

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,018
Latest update of the source article:
We can confirm that there is some kind of organized effort to break into LassPass vaults. Since publication, we've had confirmation from readers and colleagues all over the globe about login attempts.
 

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,018
Latest update of the source article is a statement from LastPass:
LastPass has responded to AppleInsider's request for more information.

"LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted 'credential stuffing' activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services," LastPass spokesperson Meghan Larson told us. "It's important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure."
 

JasonUK

Level 5
Apr 14, 2020
201
Lastpass response also appears at:

It's also worth noting that LastPass cannot leak Master Passwords as, in their own words from their website;

"Local-only encryption.
Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass."
 
Last edited:

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,018
Bleeping Computer article states as a reaction on LastPass statement:
However, users receiving these warnings have stated that their passwords are unique to LastPass and not used elsewhere. BleepingComputer has asked LastPass about these concerns but has not received a reply as of yet.

Some customers have also reported changing their master passwords since they received the login warning, only to receive another alert after the password was changed.

Someone tried my @LastPass master password earlier yesterday and then someone just tried it again a few hours ago after I changed it. What the hell is going on?
— Valcrist (@Valcristerra) December 28, 2021
To make things even worse, customers who tried disabling and deleting their LastPass accounts after receiving these warnings also report [1, 2] receiving "Something went wrong: A" errors after clicking the "Delete" button.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,858
People that think they are effected should simply turn ON 2FA, then go check with quality sites like :


If confirmed compromised, and instead of spreading more paranoid behavior like crazy chickens, for christ sake also switch passwords and please not on the same machine. Basic Security ABC.
 

wat0114

Level 7
Verified
Well-known
Apr 5, 2021
304
They have had multiplie security vulnerabilities and some breaches in the past, this just gives you more reasons to avoid it.

Not being open source also kills it being an recommendable.
According to the Bleeping Computer link posted above:

LogMeIn Global PR/AR Senior Director Nikolett Bacso-Albaum told BleepingComputer that "LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services."

So in possible fairness to Lastpass, and though of course I'm only speculating, I'm not sure they can do much about a botnet hammering away on the system, trying to infiltrate accounts with a deluge of previously breached credentials.
 

JasonUK

Level 5
Apr 14, 2020
201
Personally I don't think Lastpass have been breached if Master Passwords are not stored in any format on their servers as their website states. That's assuming their browser extensions aren't leaky of course. Mud sticks regardless so LP will take a hit (again). I've got 2FA enabled and only recently changed my Master Password anyway.

Time to give Bitwarden another go I suppose... :) I prefer local managers like KeyPass XC so will probably just end up scrapping the others.
 
Last edited:

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,018
Unusual Attempted Login Activity: How LastPass Protects You
Importantly, we also want to reassure you that there is no indication, at this time, that LastPass or LogMeIn were breached or compromised.

What Can LastPass Users Do?

To help ensure your LastPass and other online accounts are secured from bad actors or hackers, we recommend users follow these online best practices:
  • Use a strong, secure Master Password for your LastPass account that you never disclose to anyone.
  • Never re-use passwords on multiple accounts, especially your LastPass Master Password. Use a different, unique, and suitably complex password for every online account.
  • We strongly advise using the LastPass Security Dashboard to identify websites saved in your vault where you’re re-using passwords. LastPass can help you replace those passwords with strong, unique and complex ones using our password generator tool.
  • Enable dark web monitoring in the Security Dashboard. Once it’s on, you can rest assured knowing that LastPass is providing additional monitoring of your account on your behalf. If an account is determined to be at risk via the monitoring, you will receive an alert in your email and in-product.
  • Turn on multi-factor authentication for LastPass and other services like your online banking, email, social media, etc.
  • Be aware of and recognize the common signs of attempted phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
  • Run anti-virus, end-point protection, and/or anti-malware protection software, as well as regularly update your software and anti-virus signatures.
  • Make regular backups (either locally or to the cloud) of your critical data – backups help to ensure you have an additional copy of your data in a safe place (i.e., in the event of loss of access to your regularly accessed copy). Creating a daily, weekly, bi-weekly or bi-monthly backup is a good “best practice” to ensure that all changes, additions, and new files are maintained and remain up-to-date.
 
Status
Not open for further replies.