LastPass users report accounts were likely compromised
Some LastPass password manager users revealed this week that they received emails from LastPass stating that logins to their accounts using the master password had been blocked. The first of these reports appeared on Hacker News.
LastPass emails indicate that a login attempt was unsuccessful. The login attempt came from Brazil in the case of the thread starter.
Login attempts are being blocked.
Hello,
Someone just tried to log in to your account using your master password from a device or location we didn’t recognize. LastPass foiled this attempt, but you should investigate further.
The emails are genuine LastPass emails, not phishing emails. The attackers were able to obtain the customer’s master password. It is unclear how the attackers obtained the data; possibilities include malware running on user systems, old data from previous breaches, data used in other compromised online accounts, or a new security issue.
Bleeping Computer published a comment from LogMeIn Global PR/AR Senior Director Nikolett Bacso-Albaum, who claims that the data came from third-party breaches and that the attacks were carried out by bots.
LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor tries to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches involving other unaffiliated services.
According to the response, LastPass has no evidence that accounts were successfully accessed or that its service was compromised.
Some of the users who reported the issue online stated that their master passwords are unique and are not used anywhere else, which, if true, eliminates the possibility of a third-party breach.
LastPass is a password management service that allows customers to sign in online and access their accounts using a master password. There are also options for securing the accounts with two-factor authentication.
Customers of LastPass may want to enable two-factor authentication on their accounts to better protect them from unauthorized login attempts. Changing the master password may also be an option, but only if the leak is caused by a third-party source rather than LastPass.
When compared to local password manager solutions such as KeePass, online password managers provide more convenient options for syncing passwords across all devices.
Now You: do you use an online password manager, or a local one? (via Born)
