LastPass: some users report compromised accounts
Some users of the LastPass password manager revealed this week that they have received emails from LastPass stating that logins to their accounts using the account's master password were blocked. The first of these reports was published on Hacker News.
Update: LastPass issued another statement on December 30, 2021. In it, vice president of product management, Dan DeMichele, suggests that at least some of the security alerts were sent out in error to users. End
The emails that are sent out by LastPass state that LastPass blocked a login attempt. In the case of the thread starter, the login attempt came from Brazil.
Login attempt blocked
Someone just used your master password to try to log in to your account from a device or location we didn't recognize. LastPass blocked this attempt, but you should take a closer look.
The emails are legitimate emails from LastPass, not phishing emails. The attackers managed to gain access to the master password of the customer. It is unclear how the attackers managed to obtain the data, possibilities include malware that is running on user systems, old data from past breaches, data that was used in other online accounts that were compromised, or a new security issue.
Bleeping Computer published a comment from LogMeIn Global PR/AR Senior Director Nikolett Bacso-Albaum, which suggests that the data comes from third-party breaches and that the attacks are coming from bots.
LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.
LastPass has no indication that accounts were successfully accessed or that its service was compromised, according to the response.
Some of the users who reported the issue online stated that their master passwords are unique and not used elsewhere, which, if true, eliminates the third-party breach scenario.
LastPass is an online password management service; customers may sign-in online to access their account using a master password. Options to protect the accounts with two-factor authentication are available as well.
LastPass customers may want to add two-factor authentication to their accounts to better protect it against unauthorized login attempts. Changing the master password may also be an option, but only if the leak comes from a third-party source and not LastPass directly.
Online password managers offer comfortable options to sync passwords across all devices, but they add another attack vector when compared to local password manager solutions such as KeePass.
Now You: do you use an online password manager, or a local one? (via Born)Advertisement