LastPass, one of the more well-known and popular password managers available, is seeing several reports of attempted log-ins with users’ correct master passwords.
For those unfamiliar with LastPass or password managers in general, they typically require users to have a primary or master password that unlocks their password vault, which contains the passwords for all their other accounts. Although that may sound like a recipe for disaster, password managers allow people to use randomly generated passwords for all their accounts, meaning you only need to remember one really strong password for your password manager instead of hundreds of mediocre passwords (or worse, the same password reused).
Reports were first spotted on the ‘Hacker News’ forum by AppleInsider (via Android Police). The reports explain that LastPass informed users about blocked login attempts that originated from other parts of the world, often from Brazil. According to the LastPass emails, these login attempts include correct passwords, but were blocked because of the unusual geographic location.
Interestingly, LastPass’ owner, LogMeIn, says there’s no indication that its servers were hacked. You can read the full statement provided to Android Police below:
“LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.”
Passwords could have come from third-party breaches, phishing scams
However, the attempted logins appear to be coordinated, which begs the question: where did these malicious actors get the passwords from? LogMeIn points the finger at third-party breaches, which could be a possibility if LastPass users reused their passwords from other online accounts.
Other theories posited on the Hacker News forum include a LastPass autofill exploit from 2015, while others suspect the LastPass users who reported the problem may have been phished. Another possibility is that LastPass’ old, discontinued forum, which apparently required people to log in with their LastPass master password, could be to blame.
Whatever the reason, if you use LastPass, you may want to take a few steps to protect yourself. First, it’s probably a good idea to change your master password. And while you’re doing that, enable two-factor authentication (2FA) if you don’t have it on already. Finally, if you don’t use LastPass anymore — which may apply to several people since LogMeIn effectively killed the free version in 2021 — you should take the time to delete your account. That should prevent any malicious actors from potentially gaining access to any passwords still saved to LastPass.