While LastPass says that it is not aware that some of its accounts were compromised in the recent credential stuffing attacks that started on Monday, numerous LastPass users claim that their master passwords have been compromised after receiving emails warning them that someone tried to use them to access their accounts.
“Someone just used your master password to try to log in to your account from a device or location we didn’t recognize,” reads the warnings. “LastPass blocked this attempt, but you should take a closer look. Was this you?”
The email warning sent by the company informs the users that the login attempts have been blocked due to the unusual origin locations.
“LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.” Nikolett Bacso-Albaum Senior Director, Global PR/AR told BleepingComputer. “It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.”
Many users that that received the email warnings stated that their master passwords was only used to access the LastPass service and were not shared with other web services. This circumstance, if confirmed, suggests that the Password manager service was compromised, but at this time there is no evidence of compromise.
The situation could be worse if we consider that some customers after having reported having changed their master passwords state that they received another login warning.
Some users also reported that they were not able to delete and disable their accounts.
LastPass users are recommended to enable multifactor authentication to protect their accounts.
(SecurityAffairs – hacking, password)