LastPass users: it seems some master passwords are out in the wild and compromised
The company says it is a credential stuffing attack but we’re not so sure.
UPDATE 12/31/2021 9:43 AM ET: LastPass says your passwords are totally safe and no one’s account was compromised. The alerts sent out by the company earlier in the week were apparently triggered in error. More details here. The original story follows below.
We’re seeing a spate of reports of LastPass users whose accounts blocked unauthorized login attempts using their master passwords.
In some cases, those login attempts were successful, even with two-factor authentication set up on the account, and with unique passwords that were not used on any other service. Some users even report secondary login attempts after changing their master passwords.
Users have been reporting unauthorized logins on Twitter, Reddit, and HackerNews over the last few days. It looks like a large section of the reports mentions IP address ranges in Brazil as the origin, but that doesn’t mean too much. It could be a server set up by hackers in another country, or even a VPN service based in Brazil.
Commenters on HackerNews thought this might have to do with LastPass’ old support forums. Those used phpBB, and required you to use your email and LastPass master password to log in for support.
Yes, that master password which protects your password vault. While they might have been using locally-created hashes to authenticate instead of plaintext passwords, if anyone had a skimmer on your browser or the site, your master password isn’t secret anymore.
For their part, LastPass told BleepingComputer that the current crop of attacks is simple credential stuffing. That’s when an attacker uses one of the many publicly available databases from other site breaches and sets up a bot to check all the possible combinations. This works a distressingly large amount of the time, as people tend to reuse passwords.
That explanation doesn’t pass the sniff test. Multiple users have said that their master password was unique, and two-factor authentication was turned on. Some even report unauthorized logins once they changed their master password.
If you wanted to get away by deleting your account; LastPass’ routine for deleting accounts is slightly bugged as well. Getting an error message at the end of the deletion process is slightly worrisome.
It seems that trying to log in afterward shows that the account was deleted. LastPass even lets the user create a new account with their email address, which it doesn’t do if it already has an account associated.
Anyway, literally, any other password manager is more trustworthy in our eyes at this point. If you’re a LastPass user, maybe it’s time to change.
UPDATE 12/29/2021 10:16 AM ET: LastPass is doubling down and insists the company didn’t leak your passwords. “…at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.”
UPDATE 12/31/2021 9:43 AM ET: LastPass says your passwords are totally safe and no one’s account was compromised. The alerts sent out by the company earlier in the week were apparently triggered in error. More details here.
Have any thoughts on this? Let us know down below in the comments or carry the discussion over to our Twitter or Facebook.
- Cox subscribers: change your passwords
- Samsung’s Galaxy Store is hosting malicious apps that distribute malware
- Sennheiser exposed the data of thousands of customers in an unsecured server
- New Amazon Ring patents outline a racist dystopian future