Several LastPass users have reported receiving emails from the company informing them of unauthorized login attempts using their master passwords. LastPass has responded to the incident, claiming that no user information has been compromised.
After a LastPass user posted about the problem on the Hacker News forum, reports began to surface. LastPass alerted him to a login attempt from Brazil using his master password, he alleges. Other people immediately responded to the message, stating that they had had a similar experience.
Some were also warned of an attempt from Brazil, as the original poster (@technology greg) points out in a tweet, while further attempts were traced back to different countries. This, obviously, aroused fears of a security vulnerability.
This fueled speculation that LastPass may have exposed master passwords, as these emails are only sent if the unauthorized user signs in with the proper password. However, this seemed implausible given that LastPass explicitly states that it does not keep master passwords on its servers and that everything is done locally.
According to Nikolett Bacso-Albaum (per The Verge), senior director of LogMeIn Global PR, the alerts users received were related to "fairly common bot-related activity," involving malicious attempts to log into LastPass accounts using email addresses and passwords obtained from previous breaches of third-party services (i.e. not LastPass).
LastPass appears to have done precisely what it was designed to do in this case by blocking a suspicious login attempt.
It appears that the users whose passwords were obtained were the victims of a keylogger or other third-party attack. Their information could possibly have been compromised in a separate attack with the same email address and password.
Users that have received these warnings, however, have said that their passwords are unique to LastPass and are not used anywhere else. While LastPass provided no information about the threat actors behind these credential stuffing attempts, security researcher Bob Diachenko recently discovered hundreds of LastPass credentials while reviewing Redline Stealer malware records.
This suggests that the threat actors behind the takeover attempts utilized some other method to gain their targets' master passwords, at least in some of these reports.
LastPass said they haven't found any proof that they leaked users' data or that a hacker was able to get its hooks into users' accounts. If you're a LastPass customer and that sounds like cold comfort, a smart step to take is to enable multi-factor authentication as an added layer of security - which is what you should be doing as standard all the time.
