LastPass claims no accounts compromised after security warnings


If you use LastPass, make sure to change your master password. Just in case.

According to a newly released statement by LastPass, there is ‘no indication’ of any data breach following users' reports that they had been notified of unauthorized logins. The popular password manager company claims that it has never been hacked and that no user accounts have been accessed by malicious actors.

The scare about a potential data breach originally came to light on December 27 when a LastPass user submitted a post to Hacker News, stating that they received a security alert from LassPass about a blocked login attempt from Brazil. According to the user, the person who attempted the login was using their LastPass account's master password.

ADVERTISEMENT

As panic among LastPass users began to spread across social media, the company launched an investigation into the possible incident.

LastPass points to credential stuffing attacks

“Our initial findings led us to believe that these alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to remember that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a user’s Master Password(s),” Gabor Angyal, VP of Engineering at LastPass, said in the company’s blog post.

If these findings are correct, the security warnings might have been sent as a result of threat actors trying to gain access to multiple LastPass accounts using stolen login credentials acquired from unrelated data breaches.

According to Angyal, the investigation has shown “no indication that any LastPass accounts were compromised,” and the company found no evidence that any login credentials were stolen by “malware, rogue browser extensions, or phishing campaigns.”

“Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved,” reads the LastPass statement.

ADVERTISEMENT

Next steps

If you’re a LastPass user, this might be a good time to change your master password.

Even though the company’s own investigation found ‘no indication’ of compromise, we highly recommend you create a new master password immediately and enable two-factor authentication if possible.

Don’t forget to make sure it’s long, complex, unique, and has not been leaked previously. Or use our free strong password generator to come up with a good one for you.


More from CyberNews

How to create a good and strong password

If you can remember your password, it's not secure enough

Most common passwords: latest 2021 statistics

Top 10 password offenders 2021: worst password misfortunes of the year

RockYou2021: largest password compilation of all time leaked online with 8.4 billion entries

Subscribe to our newsletter

ADVERTISEMENT