Users report compromised LastPass master password

Sicherheit (Pexels, allgemeine Nutzung)[German]Is there a problem with the password management solution LastPass? LastPass users fear compromised master passwords. They received email alerts that someone tried to log into their accounts from unknown locations. This could indicate a larger security issue. In any case, LastPass users should change their master password as a precaution and enable two-factor authentication for the service.


Advertising

The first notification I came across is from December 27, 2021 and is in the following tweet. LastPass users are informed to change their master password.

Warning about LastPass master password leak

There is a suspicion that there is a security problem with the service. On this page, an affected person describes the problem he was facing recently.

How did my LastPass master password get leaked?

Hi,

I've just had a bizarre thing happen and wanted to see if the HN community could come up with some theories as to what happened.

LastPass blocked a login attempt from Brazil (it wasn't me). According to an email I received from LastPass, this login was using the LastPass account's master password. The email doesn't look like it's a phishing attempt.

What troubles me is that the master password was stored in a local encrypted KeePassX file.

I can imagine that someone has my KeePassX file and the (completely different) password to this file. If that's the case, I'm in a world of hurt.

But are there any other possibilities? Is the email from LastPass accurate i.e. was the login attempt actually using my master password? Is there some LastPass extension installed on some computer still having a valid auth token allowing them to login as me to LastPass..?

I'm really confused, and scared.

Thanks for your help.

P.S. The LastPass account had 2FA set up, but I was able to simply remove it (since I didn't have access to the token anymore). That's scary too — what's the point of a 2FA you can remove…??

Update:

– the email was truly not phishing — the same information regarding the login attempt appears in my LastPass dashboard. I also talked to LastPass support over the phone, and they confirmed seeing the same information.

– There are 2 separate users in the thread below confirming that the same exact same thing happened to them, from the exact same IP range as me.

Either the 3 of us had the same malware/Chrome extension or somehow had our master passwords compromised…? Or…? Is this a LastPass issue?

LastPass service has blocked access because it was tried from an unusual localtion Brazil. Also an attempt was made to use the master password when logging in. However, the access was blocked by the platform because the location of the access was mysterious. The user states that his 2FA protection could be easily disabled. Meanwhile, other users confirmed this observation and LastPass support was also able to detect activity.

Warning from LastPass support

Meanwhile, sites like The Record reports about the suspicion that there are attacks on LastPass users in which the master password is used. It is suspected that cybercriminals may have obtained the master passwords via password stuffing. There have been security incidents at LastPass where passwords were stolen.


Advertising

Nikolett Bacso-Albaum, global PR/AR senior director at LogMeIn, told BleepingComputer, "LastPass has investigated recent reports of blocked login attempts and determined that this is a relatively common bot activity where a malicious or malicious actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party vendors in connection with other unaffiliated services.

From LastPass support, there is a document Unusual Attempted Login Activity: How LastPass Protects You dated December 28, 2021, which provides guidance on how the service prevents misuse and what users can do to safeguard against password theft.

Statement about LastPass incident

Addendum: Within this tweet of the colleagues from Bleeping Computer, the notifications were triggered by a bug in the LastPass service. But I do see the problem that some users use a master password, which can easily be cracked by password stuffing (trying known passwords from leaks).

Similar articles:
LastPass Android app tracks its users


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).