LastPass has responded to reports of multiple password manager users receiving unauthorized login attempt notifications. “Someone just used your master password to try to log in to your account from a device or location we didn’t recognize,” the alert read. “LastPass blocked this attempt, but you should take a close look.”
Initially, the password manager app claimed that the notifications were triggered by potential credential stuffing attacks.
Similarly, LogMeIn, the company that owns LastPass, also ruled out any credential harvesting by malware, rogue browser extensions, or phishing campaigns.
Users suspect master password leaks in a previous data breach
LastPass users have confirmed that the alerts originated from the company, thus ruling out phishing attempts.
Additionally, the alerts trigger when account owners use their master passwords to log in from unknown devices or locations.
Some affected users noted that they do not reuse email addresses and passwords, while others received attempted login notifications after changing their master passwords.
Similarly, some concerned users who tried to delete their LastPass password manager account encountered HTTP error 500 stating that “Something went wrong” after clicking the delete button.
Most reports also originated from users with outdated LastPass accounts suggesting an earlier breach.
Coincidentally, security researcher Bob Diachenko said he found thousands of LastPass account credentials on RedLine Stealer logs. However, Diachenko checked the login details of some affected users but couldn’t find a match.
Although the password manager app does not store the user’s master password on its servers, it stores their saved passwords in an encrypted format.
LastPass password manager triggered unauthorized login alerts by mistake
LastPass reiterated that users’ master passwords were not accessed by an unauthorized third party after conducting further investigations.
“It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party,”
LogMeIn Global PR senior director Nikolett Bacso-Albaum said. “We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.”
The company continued to investigate the incidents out of an abundance of caution and found that some security alerts sent to a “limited subset of LastPass users” were triggered in error.
LastPass also explained that the security alerts were triggered because of ongoing efforts to protect its users from credential stuffing attempts by bad actors. LastPass also reiterated that it does not store or know the users’ master passwords.
Past security issues in password manager
While LastPass’s scare remains a mystery, the password manager app is no stranger to security vulnerabilities.
The password manager app officially acknowledged a data breach in 2015. However, no account data was compromised in the incident, according to the company.
Sean Cassidy discovered in 2016 a CSRF vulnerability that attackers exploit in phishing attacks. Similarly, researchers from the University of California documented another CSRF bug.
In 2016, Mathias Karlsson discovered a bug that allowed him to autofill login details on a different domain.
And Google Project Zero’s Tavis Ormandy discovered a message-hijacking bug that affected Firefox users. Another browser vulnerability was discovered in 2017, and a fake app autofill bug in 2019.
Similarly, another browser extension vulnerability was discovered in 2019, while Mike Kuketz exposed the LastPass password manager in 2021 for tracking its users.
