While LastPass didn't share any details regarding how the threat actors behind these credential stuffing attempts, security researchers Bob Diachenko said he recently found thousands of LastPass credentials while going through Redline Stealer malware logs.
BleepingComputer was also told by LastPass customers who received such login alerts that their emails were not in the list of login pairs harvested by RedLine Stealer found by Diachenko.
This means that, at least in the case of some of these reports, the threat actors behind the takeover attempts used some other means to steal their targets' master passwords.
Notable quote from the thread: "Because LastPass is beyond stupid and uses your master password to log in to their bbulletin or whatever php forum."There is a discussion about it here
I want to point out the following from poster there
“What troubles me is that the master password was stored in a local encrypted KeePassX file.”
As previously stated, LastPass is aware of and has been investigating recent reports of users receiving e-mails alerting them to blocked login attempts.
We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns.
However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.
Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users’ Master Password(s).
We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure.
LastPass VPs confirm 'no indication' of compromised accounts after security alerts
LastPass VP Gabor Angyal said some of the security alerts that initially caused concern were "likely triggered in error."
Two LastPass vice presidents have released statements about the situation surrounding LastPass security issues that came to light this week.
Two days ago, hundreds of LastPass users took to Twitter, Reddit, and other sites to complain that they were getting alerts about their master password being used by someone who was not them. Some reported that even after changing their master password, someone tried to access their account again.
On Tuesday, the company released a brief statement noting that its security team observed and received reports of potential credential stuffing attempts. Credential stuffing involves attackers stealing credentials (usernames, passwords, etc.) to access users' accounts.
"While we have observed a small uptick in this activity, we are utilizing multiple technical, organizational, and operational methods designed to protect against credential stuffing attempts. Importantly, we also want to reassure you that there is no indication, at this time, that LastPass or LogMeIn were breached or compromised," wrote Gabor Angyal, VP of engineering at LastPass.
You can read here that this user statesMaybe the affected LP users were hit by a keylogger, or stored their master password in an insecure way, either on their device or in the cloud. I don't see any evidence that LP was hacked. It sounds more like users were hacked.
I agree 110% , anyone who pays a service to store their passwords online would be better off taking their money and burning it.Me sipping tea comfortably with my local password manager (KeePass), that leaks and hacks can't reach,
Having your passwords online is asking for trouble, same for having them saved on the browser and synced.
If KeepassX file was compromised, it could affect other applications, websites and even bitwarden. It seems to target LP for nowYou can read here that this user states
Someone else stated that they got an alert even after changing passwords
Perhaps Lastpass is right, and it was an error.
Does that means other accounts in the Keepass database may be compromised?If the master password was (possibly) obtained from a locally encrypted KeePassX database as original poster on Hacker news feared then the issue is with the users device security not Lastpass.
KeePass databases are stored locally, so your system that would be compromised in that case.If KeepassX file was compromised, it could affect other applications, websites and even bitwarden. It seems to target LP for now
Seems werid to me.
I've noted that too. Lastpass' device-type changes earlier in the year didn't really worry me but the whiff (again) around this password manager is the proverbial straw that broke the camel's back. I've deleted my Lastpass vault and will stick to locally stored Keepass XC for now although I'll probably give Bitwarden another go too (wasn't impressed last time).I've seen multiple excuses from LastPass, which shows even them don't know what is going on, they just trying to put out the fire.
Another alternative could be 1Password.I've noted that too. Lastpass' device-type changes earlier in the year didn't really worry me but the whiff (again) around this password manager is the proverbial straw that broke the camel's back. I've deleted my Lastpass vault and will stick to locally stored Keepass XC for now although I'll probably give Bitwarden another go too (wasn't impressed last time).
"And even if it does get hacked someday, the chances that your bank account will be first to go are kind of low."