We first covered these LastPass alerts yesterday, and LastPass said it was likely a third-party leak that caused unauthorized access. After further investigation, however, the company found that the warnings were sent to users in error.
We received an email from LastPass explaining the situation. Dan DeMichele, VP of Product Management, LastPass, broke down what happened:
It’s an unfortunate error, but at least LastPass users can rest easy knowing their accounts are safe and that a simple mistake caused them to receive the error. Still, it might be a good idea to set up two-factor authentication just to be safe.
We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns.
However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.
Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users’ Master Password(s).
We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure.
RELATED: SMS Two-Factor Auth Isn’t Perfect, But You Should Still Use It