Access Management , Fraud Management & Cybercrime , Identity & Access Management
LastPass: No User Accounts Have Been Compromised
Password Manager Users Reported Concerns After Receiving Email WarningsPassword manager LastPass, which helps store encrypted passwords accessible with a single master password, has addressed concerns from its users about master password compromise resulting in unauthorized account access.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
The users say they have received email warnings that are normally sent to users who log in from different devices and locations, causing them to think their master passwords have been compromised.
The company, in a blog post, says it has investigated this activity and has found "no indication that any LastPass accounts were compromised by an unauthorized third party as a result of these credential stuffing attempts."
The company has also found "no indication that LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns," says Gabor Angyal, senior director of engineering at LastPass, in the blog post.
"Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved,” Angyal says.
The company did not respond to Information Security Media Group request for additional details.
User Concerns
Many users on Tuesday posted concerns of master password compromise on online forums.
LastPass user u/forcomp1234, in a blog post titled "Recent successful login attempts from odd IPs?" asks fellow Reddit users: "Anyone else here seen successful login attempts using their master password from IPs looking like compromised hosts? I've got a lastpass account with a dedicated master password (and 2FA) - ie the password exists offline, on my devices, in my brain, and in some form (presumably heavily hashed) at lastpass. I got a notification today of a successful use of my master password from 23[.]236[.]213[.]5 - which looks like an anonymizing proxy service. I'm pretty sure it's not something on my end (though I'm doing a deeper scrub anyways), which pretty much leaves Lastpass."
The user says that the Apache Log4j security flaw makes them suspicious about whether a threat actor had gained access to all hashes and was brute-forcing them - or worse, found a location where the credentials were being logged in plaintext.
On Hacker News, user Greg Sadetsky's question about how his LastPass password leaked had garnered almost 500 comments by the time this story was published.
Something very strange and bad is happening to a lot of people's @LastPass accounts. I posted this to Hacker News and it gathered 192 comments, including 7 separate reports of master password breaches & login attempts from the same Brazil IP range. Uhh. https://t.co/tcM0aFdavv`
— Greg Technology (@technology_greg) December 27, 2021
In an update to his HackerNews post, Sadetsky says: "The email was truly not phishing - the same information regarding the login attempt appears in my LastPass dashboard. I also talked to LastPass support over the phone, and they confirmed seeing the same information. There are 2 separate users in the thread below confirming that the same exact same thing happened to them, from the exact same IP range as me. Either the 3 of us had the same malware/Chrome extension or somehow had our master passwords compromised...? Or...? Is this a LastPass issue?"
Angyal says the alerts were triggered due to ongoing efforts by LastPass to defend its customers from bad actors and credential stuffing attempts.
"It is also important to remember that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a user’s master password(s)," Angyal says.
Recommendations
In its blog post, the company recommends the use of strong, secure master password for LastPass accounts and discourages reuse of passwords on multiple accounts.
"We strongly advise using the LastPass Security Dashboard to identify websites saved in your vault where you’re re-using passwords," it says and provides detailed instructions.
Angyal recommends the use of multifactor authentication for LastPass and other services such as online banking, email and social media.
"Be aware of and recognize the common signs of attempted phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies," Angyal says. "Run anti-virus, end-point protection, and/or anti-malware protection software, as well as regularly update your software and anti-virus signatures."