LogMeIn, a company behind password manager app LastPass, said it has found no evidence of a data breach after multiple users reported that they received security alerts from the company about unauthorized login attempts using correct master passwords from various locations.
Reports of compromised LastPass passwords first emerged on the popular Hacker News forum following by users on Twitter and Reddit who reported that they experienced the similar issue.
In a statement to The Verge LogMeIn Global PR/AR Senior Director Nikolett Bacso-Albaum explained that what users received the alerts users received were related “to fairly common bot-related activity,” involving malicious attempts to log in to LastPass accounts using email addresses and passwords that malicious actors obtained from past breaches of third-party services (i.e. not LastPass).
“It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure,” Basco-Albaum said.
However, in a statement on the company’s website LastPass Senior Director of Engineering Gabor Angyal provided a more detailed information saying that some of the security alerts users received were “likely triggered in error.”
“We recently investigated reports of an uptick of users receiving blocked access emails, normally sent to users who log in from different devices and locations,” Angyal said in a blog post. “Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.”
He added that the investigation into the issue revealed that some of the security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error.
“As a result, we have adjusted our security alert systems and this issue has since been resolved. These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to remember that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a user’s Master Password(s),” Angyal said.