Many users of the LastPass password manager platform recently reported their master passwords – which they use to access LastPass itself – had been compromised. These users reported receiving email warnings that another party had attempted to log in to their account from an unknown location. The warning also said the logins were blocked due to the attempts being made from an unfamiliar location.
The login emails said: “Someone just used your master password to try to log in to your account from a device or location we didn’t recognize.
“LastPass blocked this attempt, but you should take a closer look. Was this you?”
Social media sites and online forums were ablaze with reports of people receiving these warnings when they were sent on 28th December 2021.
LastPass says “credential stuffing” to blame (at first!)
Nikolett Bacso-Albaum, a senior director at LogMeIn, which acquired LastPass in 2015, told BleepingComputer: “LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.
“It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.”
Many LastPass users responded to this statement by posting on social media and forums that their LastPass password was unique to the platform.
In addition, noted security researcher Bob Diachenko said he recently discovered a trove of LastPass credentials when analysing Redline Stealer malware logs. However, when LastPass users who had received a warning sent their emails to Diachenko, he reported that none were in the list.
As such, anyone who had legitimate LastPass username and password details must have acquired the data from elsewhere.
On top of all this, some users reported changing their master passwords after getting the login warning, only to receive another one shortly afterwards.
So what actually happened?
If a data breach of some kind has occurred, then LastPass isn’t saying so.
LastPass did, however, provide a statement to BleepingComputer, in which it said that some of the emails were likely sent in error.
The statement read: “As previously stated, LastPass is aware of and has been investigating recent reports of users receiving e-mails alerting them to blocked login attempts.
“We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns.
“However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.
“Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
“These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users’ Master Password(s).
“We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure.”
What the statement doesn’t answer is that if some emails were sent in error, where did the ability to try and access the accounts come from concerning customers who don’t use their LastPass password elsewhere?