Reports originated from Hacker News, where a user said, “LastPass blocked a login attempt from Brazil (it wasn’t me). According to an email I received from LastPass, this login was using the LastPass account’s master password. The email doesn’t look like it’s a phishing attempt.”
We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns.
However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.
Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users’ Master Password(s).
We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure.”
This led to speculation that LastPass may have somehow leaked master passwords, as these emails only arrive if the unauthorized person logs in with the correct password. However, this seemed unlikely, as LastPass makes it clear that it doesn’t store master passwords on its servers and that everything is done locally.
We reached out to LastPass for comment, and a spokesperson confirmed our suspicions:
It seems LastPass did exactly what it’s supposed to do in this situation by blocking a login attempt that seemed suspicious.
It sounds like the users who had their passwords stolen could have been the victim of a keylogger or other third-party form of attack. Their information could have also been leaked in an unrelated attack where they’re using the same email address and password.
Either way, if you’re a LastPass user (or user of any sensitive tool like a password manager), it’s a good idea to enable two-factor authentication to make sure you’re safe from anyone gaining unauthorized access to your account. It’s also never a bad idea to change your password if you’re worried it may be compromised for any reason.
RELATED: What Is Two-Factor Authentication, and Why Do I Need It?
