Several LastPass users claim that they are receiving emails from the company about unauthorized login attempts using their master passwords. Fortunately, LastPass has responded to the issue, and the password manager says it hasn’t leaked any user information.
The reports originated from Hacker News, where one user said: “LastPass blocked a login attempt from Brazil (it wasn’t me). According to an email I received from LastPass, this login was using the LastPass account’s master password. The email does not appear to be a phishing attempt. “
This led to speculation that LastPass might have somehow leaked master passwords, as these emails only arrive if the unauthorized person logs in with the correct password. However, this seemed unlikely, as LastPass makes it clear that it does not store master passwords on its servers and that everything is done locally.
We reached out to LastPass for comment and a spokesperson confirmed our suspicions:
LastPass investigated recent reports of blocked login attempts and determined that the activity is related to a fairly common bot-related activity, in which a malicious or malicious actor tries to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third parties. infringements of the parties related to other unaffiliated services. It is important to note that we have no indication that the accounts were successfully accessed or that the LastPass service was compromised by an unauthorized party. We regularly monitor this type of activity and will continue to take measures designed to ensure that LastPass, its users and their data remain protected and secure.
It appears that LastPass did exactly what it is supposed to do in this situation by blocking a sign-in attempt that seemed suspicious.
It appears that users who had their passwords stolen could have been the victims of a keylogger or some other form of third-party attack. Your information could also have been leaked in an unrelated attack where they are using the same email address and password.
Either way, if you’re a LastPass user (or a user of any sensitive tool like a password manager), it’s a good idea to enable two-factor authentication to make sure you’re safe from anyone gaining unauthorized access. to his account. It’s also not a bad idea to change your password if you’re concerned that it might be compromised for any reason.
RELATED: What is two-factor authentication and why do I need it?