Password managers are a great way to improve your online security, but it would be a nightmare scenario if your password manager’s account were hacked. This week, some LastPass users report that their Master Passwords appear to have been compromised, but LastPass says things are technically working as they’re supposed to.
Multiple LastPass users across the internet have shared their terrifying situation where an email alert reveals that someone has used their Master Password to attempt to access their account. The legitimate alerts, thankfully, notify users that account access was blocked due to the region where the attempt was made.
LastPass, like other password managers, relies on a “Master Password” as the key to unlock a user’s collection of passwords. The encrypted vault of passwords and other data are stored on the company’s servers, but the Master Password is not.
In a statement to How-To-Geek, LastPass claims that there is currently no indication that a third-party has breached LastPass security, but rather speculates that affected users could be using their Master Password on other services.
LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.
What makes this situation worrying though, is that some users were using completely unique passwords on LastPass (which is obviously good practice) and that some are seeing their accounts accessed and blocked again even after changing their Master Password (via Bleeping Computer).
For the time being, it seems that LastPass’ security is working properly, and these breach attempts are being blocked. However, if you’re a LastPass user, it would probably be a good idea to change your password now, and perhaps the passwords of any particularly sensitive accounts.
More on Passwords and Security:
- Google Assistant and Duplex can now help you change stolen passwords in Chrome
- How to transfer your passwords from Apple to Android
- You can now require a password before Google shows your ‘My Activity’ usage history
FTC: We use income earning auto affiliate links. More.