LastPass denies claims that master passwords may have been compromised
LastPass may have been hacked
Multiple users in a Hacker News forum have shared that their master passwords for LastPass appear to be compromised. It is unknown how the passwords have leaked out, but a pattern has emerged amongst users.
The majority of reports appear to come from users with outdated LastPass accounts, meaning they haven't used the service in some time and haven't changed the password. This indicates the master password list being used may have come from an earlier hack.
Some users claim that changing their password hasn't helped, with one user claiming that they saw new login attempts from various locations with each password change. It is unclear how severe the password leak may be, or if LastPass is currently under attack.
LastPass has responded to AppleInsider's request for more information.
"LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted 'credential stuffing' activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services," LastPass spokesperson Meghan Larson told us. "It's important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure."
We can confirm that there is some kind of organized effort to break into LassPass vaults. Since publication, we've had confirmation from readers and colleagues all over the globe about login attempts.
A heads up for my friends, LastPass password manager isn't secure at the moment. There's a certain rush to hijack all data using master passwords as we speak.
-- zodttd (@zodttd)
Overnight, LastPass provided AppleInsider with another statement on the matter.
"As previously stated, LastPass is aware of and has been investigating recent reports of users receiving e-mails alerting them to blocked login attempts.
AppleInsider recommends that users change their passwords, enable two-factor authentication, and keep an eye out for suspicious login attempts. There is also the option of removing passwords from the service and migrating to 1Password or Apple's iCloud Keychain."We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user's LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns.However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.
Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
These alerts were triggered due to LastPass's ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass' zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users' Master Password(s).
We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure."
LastPass is a free password manager available across desktop and mobile devices. There have been security concerns about the Android version of the app and its use of trackers.
Update 12/28 11:34 AM ET: Updated with more reports of an organized effort to penetrate LastPass repositories.
Update 12/28 12:10 PM ET: Updated with statement from LastPass.
Update 12/29 6:29 AM ET: Updated with another statement from LassPass.
Read on AppleInsider
Comments
You win Ridiculous Comment of the Day.
This is most surely someone using leaked account credentials that were reused on LastPass accounts. That’s the mistake some people probably made. Password managers don’t store the master password anywhere. Not the cloud. Not locally. It’s the “thing you know”.
My passwords reside (encrypted by a password manager) on my devices,
I can't pimp 1Password enough in this regard.
Does the Secret Key that 1Password utilizes for online accounts count as "a thing you know" to you? It's certainly "a thing I have" but I absolutely don't know it. As it's explained in their blog post, just having the user's URL, name, and password will not grant you access if you were to somehow hack into 1Password's server to steal their users's private values.
https://blog.1password.com/what-the-secret-key-does/
I learned the hard way , had my last pass account hacked , bad actor searches my last pass account for cryptocurrency related accounts and you know the rest of the story ,
Now even if someone has the master password, or even worse the master pw and remote access they can’t authenticate without inserting and pressing the yubi key . Much better than text code 2fa or Authenticator apps
I’ve been using 1password since Apple ditched keychain on mobile me years ago. A little while ago I got frustrated with some aspects and looked into switching to DashLane or LastPass. Both of them use a browser based app with no option for a local database and no standalone app. After spending some time playing with them I quickly went back to 1Password.
Cloud-based storage is the most effective way to share the database across devices but not all security is created equal. Using a browser-based app just opens up a giant security hole. 1Password gives you the option of keeping your database local and if you do put it in the cloud, they require a unique database key generated by the app to access it in addition to your user name and password.
I have family account. I keep my super secret info on a private vault, and then I have several shared vaults which do go through my_name.1password.com. If they don't add this functionality I will not be moving from 1Password 7, or will have to find an alternate password manager solution all together.
I went ahead and moved my stuff from iCloud synced db to their cloud vault.