29 December 2021

Multiple LastPass users report suspicious login attempts, the company says there’s no evidence of a data breach


Multiple LastPass users report suspicious login attempts, the company says there’s no evidence of a data breach

LogMeIn, a company behind password manager app LastPass, said it has found no evidence of a data breach after multiple users reported that they received security alerts from the company about unauthorized login attempts using correct master passwords from various locations.

Reports of compromised LastPass passwords first emerged on the popular Hacker News forum following by users on Twitter and Reddit who reported that they experienced the similar issue.

In a statement to The Verge LogMeIn Global PR/AR Senior Director Nikolett Bacso-Albaum explained that what users received the alerts users received were related “to fairly common bot-related activity,” involving malicious attempts to log in to LastPass accounts using email addresses and passwords that malicious actors obtained from past breaches of third-party services (i.e. not LastPass).

“It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure,” Basco-Albaum said.

However, in a statement on the company’s website LastPass Senior Director of Engineering Gabor Angyal provided a more detailed information saying that some of the security alerts users received were “likely triggered in error.”

“We recently investigated reports of an uptick of users receiving blocked access emails, normally sent to users who log in from different devices and locations,” Angyal said in a blog post. “Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.”

He added that the investigation into the issue revealed that some of the security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error.

“As a result, we have adjusted our security alert systems and this issue has since been resolved. These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to remember that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a user’s Master Password(s),” Angyal said.


Back to the list

Latest Posts

The story of the four bears: Brief analysis of APT groups linked to the Russian government

The story of the four bears: Brief analysis of APT groups linked to the Russian government

In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear, Cozy Bear, Voodoo Bear, and Berserk Bear.
17 January 2022
Cybersecurity year in review: Most notable APT hacks of 2021

Cybersecurity year in review: Most notable APT hacks of 2021

In 2021 nation-state actors somewhat faded into the background, but they still pose a significant threat.
17 January 2022
Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

The attackers exploited the Log4Shell vulnerability on ONUS’ Cyclos server to plant backdoor and exfiltrate data.
30 December 2021