LastPass master passwords may have been compromised

[Gandalf_The_Grey]

LastPass members have reported multiple attempted logins using correct master passwords from various locations, indicating a possible data breach at the company.

Multiple users in a Hacker News forum have shared that their master passwords for LastPass appear to be compromised. It is unknown how the passwords have leaked out, but a pattern has emerged amongst users.
The majority of reports appear to come from users with outdated LastPass accounts, meaning they haven't used the service in some time and haven't changed the password. This indicates the master password list being used may have come from an earlier hack.

Some users claim that changing their password hasn't helped, with one user claiming that they saw new login attempts from various locations with each password change. It is unclear how severe the password leak may be, or if LastPass is currently under attack.

There has been no official statement from LastPass as of yet. AppleInsider has reached out to the company for clarification.

https://twitter.com/i/web/status/1475728313117298691

AppleInsider recommends that users change their passwords, enable two-factor authentication, and keep an eye out for suspicious login attempts. There is also the option of removing passwords from the service and migrating to 1Password or Apple's iCloud Keychain.

LastPass is a free password manager available across desktop and mobile devices. There have been security concerns about the Android version of the app and its use of trackers.

 

[pablozi]

There is also the option of removing passwords from the service and migrating to 1Password or Apple's iCloud Keychain.

Yup. Staying away from LP is the way to go.

 

[CyberTech]

I was gonna post it, well job.

 

[Gandalf_The_Grey]

Yup. Staying away from LP is the way to go.

If not (I switched to Bitwarden) change your master password and enable two-factor authentication.

 

[Alaric Michael]

The only thing that can help you passwords to get leaked out is : Two-factor authentication !

 

[amirr]

If not (I switched to Bitwarden) change your master password and enable two-factor authentication.

I already have my 2FA enabled for my LP account. Do I need to change my Master Password too? Thanks.

 

[Gandalf_The_Grey]

I already have my 2FA enabled for my LP account. Do I need to change my Master Password too? Thanks.

They say: "master passwords may have been compromised".
So, nothing is sure.

Would change my master password and wait how this develops.

Maybe it is time to change password manager.

 

[CyberTech]

I already have my 2FA enabled for my LP account. Do I need to change my Master Password too? Thanks.

Yes obviously, please read the article dude!

 

[ScandinavianFish]

They have had multiplie security vulnerabilities and some breaches in the past, this just gives you more reasons to avoid it.

Not being open source also kills it being an recommendable.

 

[silversurfer]

I already have my 2FA enabled for my LP account. Do I need to change my Master Password too? Thanks.

If you want to continue using LP then no need to worry IMO as long as you change your Master-Password and most important to keep enabled 2FA.

 

[amirr]

I don't easily change the software I already use for years, so I remain faithful to LP.
I have "LastPass MFA" enabled, as well as recovery phone included in my account.

 

[Gandalf_The_Grey]

Latest update of the source article:

We can confirm that there is some kind of organized effort to break into LassPass vaults. Since publication, we've had confirmation from readers and colleagues all over the globe about login attempts.

LastPass denies claims that master passwords may have been compromised | AppleInsider

LastPass members have reported multiple attempted logins using correct master passwords from various locations, but the company has alternately said that the recent attacks are a result of shared passwords gleaned from breaches of other services, or possibly warnings sent in error.

appleinsider.com

 

[Gandalf_The_Grey]

Latest update of the source article is a statement from LastPass:

LastPass has responded to AppleInsider's request for more information.

"LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted 'credential stuffing' activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services," LastPass spokesperson Meghan Larson told us. "It's important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure."

LastPass denies claims that master passwords may have been compromised | AppleInsider

LastPass members have reported multiple attempted logins using correct master passwords from various locations, but the company has alternately said that the recent attacks are a result of shared passwords gleaned from breaches of other services, or possibly warnings sent in error.

appleinsider.com

 

[JasonUK]

Lastpass response also appears at:

LastPass Says It Didn’t Leak Your Master Password [Update: Further Clarification]

Several LastPass users claim that they’re receiving emails from the company about unauthorized login attempts using their master passwords. Fortunately, LastPass has responded to the issue, and the password manager says it hasn’t leaked any user information.

www.howtogeek.com

It's also worth noting that LastPass cannot leak Master Passwords as, in their own words from their website;

"Local-only encryption.
Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass."

 

[Gandalf_The_Grey]

Bleeping Computer article states as a reaction on LastPass statement:

However, users receiving these warnings have stated that their passwords are unique to LastPass and not used elsewhere. BleepingComputer has asked LastPass about these concerns but has not received a reply as of yet.

Some customers have also reported changing their master passwords since they received the login warning, only to receive another alert after the password was changed.

Someone tried my @LastPass master password earlier yesterday and then someone just tried it again a few hours ago after I changed it. What the hell is going on?
— Valcrist (@Valcristerra) December 28, 2021​

To make things even worse, customers who tried disabling and deleting their LastPass accounts after receiving these warnings also report [1, 2] receiving "Something went wrong: A" errors after clicking the "Delete" button.

LastPass users warned their master passwords are compromised

Many LastPass users report that their master passwords have been compromised after receiving email warnings that someone tried to use them to log into their accounts from unknown locations.

www.bleepingcomputer.com

 

[upnorth]

People that think they are effected should simply turn ON 2FA, then go check with quality sites like :

https://haveibeenpwned.com/

If confirmed compromised, and instead of spreading more paranoid behavior like crazy chickens, for christ sake also switch passwords and please not on the same machine. Basic Security ABC.

 

[wat0114]

They have had multiplie security vulnerabilities and some breaches in the past, this just gives you more reasons to avoid it.

Not being open source also kills it being an recommendable.

According to the Bleeping Computer link posted above:

LogMeIn Global PR/AR Senior Director Nikolett Bacso-Albaum told BleepingComputer that "LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services."

So in possible fairness to Lastpass, and though of course I'm only speculating, I'm not sure they can do much about a botnet hammering away on the system, trying to infiltrate accounts with a deluge of previously breached credentials.

 

[JasonUK]

Personally I don't think Lastpass have been breached if Master Passwords are not stored in any format on their servers as their website states. That's assuming their browser extensions aren't leaky of course. Mud sticks regardless so LP will take a hit (again). I've got 2FA enabled and only recently changed my Master Password anyway.

Time to give Bitwarden another go I suppose... I prefer local managers like KeyPass XC so will probably just end up scrapping the others.

 

[Gandalf_The_Grey]

Unusual Attempted Login Activity: How LastPass Protects You

Importantly, we also want to reassure you that there is no indication, at this time, that LastPass or LogMeIn were breached or compromised.

What Can LastPass Users Do?​

To help ensure your LastPass and other online accounts are secured from bad actors or hackers, we recommend users follow these online best practices:

• Use a strong, secure Master Password for your LastPass account that you never disclose to anyone.
• Never re-use passwords on multiple accounts, especially your LastPass Master Password. Use a different, unique, and suitably complex password for every online account.
• We strongly advise using the LastPass Security Dashboard to identify websites saved in your vault where you’re re-using passwords. LastPass can help you replace those passwords with strong, unique and complex ones using our password generator tool.
• Enable dark web monitoring in the Security Dashboard. Once it’s on, you can rest assured knowing that LastPass is providing additional monitoring of your account on your behalf. If an account is determined to be at risk via the monitoring, you will receive an alert in your email and in-product.
• Turn on multi-factor authentication for LastPass and other services like your online banking, email, social media, etc.
• Be aware of and recognize the common signs of attempted phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
• Run anti-virus, end-point protection, and/or anti-malware protection software, as well as regularly update your software and anti-virus signatures.
• Make regular backups (either locally or to the cloud) of your critical data – backups help to ensure you have an additional copy of your data in a safe place (i.e., in the event of loss of access to your regularly accessed copy). Creating a daily, weekly, bi-weekly or bi-monthly backup is a good “best practice” to ensure that all changes, additions, and new files are maintained and remain up-to-date.

Unusual Attempted Login Activity: How LastPass Protects You - The LastPass Blog

As part of our commitment to security, we regularly monitor our services for actual, suspected, or attempted malicious or unusual activity.

blog.lastpass.com

 

[Local Host]

Me sipping tea comfortably with my local password manager (KeePass), that leaks and hacks can't reach,

Having your passwords online is asking for trouble, same for having them saved on the browser and synced.