What happened with LastPass?

password written in scrabble tiles

Late Tuesday evening users of LastPass began to report concerning emails stating that their accounts had potentially been breached. LastPass, which has been in use since 2008 and has a free version as well as paid versions, is an online password manager that stores and protects the passwords of over 25 million user's various online accounts.

The scare was first noted on a Hacker News blog, where one user posted that they had received an email from LastPass, notifying them that their account and passwords had been breached. A short time later, many other users began to report that they had also received the emails from LastPass about their accounts being breached. According to the emails that users received, attempts had been made to log in to their accounts numerous times, from numerous locations, using the correct master password, and the emails were legitimate emails from LastPass.

Although this sounds alarming, LastPass is ensuring users to not worry, and that their accounts and passwords were not actually breached, but that a type of hack called "credential stuffing" was being attempted to targeted accounts, which resulted in the notification emails being sent to users, but that they attempts were unsuccessful. This type of cyberattack is attempted by using login credentials from other, unrelated accounts and services that had been previously breached in other separate attacks, and where old passwords had not been changed.

To put an end to the scare, LastPass posted on their blog, "As part of our commitment to security, we regularly monitor our services for actual, suspected, or attempted malicious or unusual activity. We recently investigated reports of an uptick of users receiving blocked access emails, normally sent to users who log in from different devices and locations. Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns. However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert emails to be triggered from our systems. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.

While LastPass assures users that their account information and passwords are safe, they do suggest to monitor accounts for strange activity, keep virus protection up to date, to update your master password if it has been some time since last doing so, and to not reuse passwords among different accounts or share master passwords with others. For added safety, users can also turn on two factor authentication for their LastPass and other secure accounts.

cyber security
credential stuffing