Recently rumours began circulating that there may have been a data breach at LastPass. Some users claim they saw login attempts on their LastPass accounts from unknown locations using their master password.
Since these login attempts were using master passwords it was originally believed that LastPass master passwords were somehow breached. But LastPass has now confirmed this is not the case.
It wouldn’t be the first time LastPass was breached if this was to be true, as in 2015 the company had a security incident. In the 2015 incident LastPass claimed no vault data was compromised and that LastPass is now more secure as a result of what happened.
This reported incident comes only weeks after we reported that LastPass is to become an independent company and that the company announced it has ambitious plans for the future.
LastPass believed the incident to be a credential stuffing attack on some of its users but later said the security alerts sent to users were likely triggered in error. The company also confirmed that LastPass never has access to the master passwords of its users.
Gabor Angyal, VP of Engineering at LastPass has said:
“Our initial findings led us to believe that these alerts were triggered in response to attempted ‘credential stuffing’ activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.”
He also said:
“However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert emails to be triggered from our systems. Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to remember that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a user’s Master Password(s).“
So while LastPass appears to be confident that it has had no breach, the company did also make it clear how important it is for users to never reuse passwords, especially the master password used on LastPass accounts.
Users can keep their accounts as secure as possible by not only ensuring passwords are not reused, but by also enabling 2FA (Two-factor authentication) on LastPass accounts and as a further step while also using 2FA on all the accounts stored within LastPass.
If you are concerned that your data may be involved in a data breach and/or would like to check, a frequently recommended website to find out is HaveIBeenPwned.