LastPass responded to reports from several password manager users receiving notifications of unauthorized login attempts. “Someone just used your master password to try to log into your account from a device or location we didn’t recognize,” the alert reads. “LastPass blocked this attempt, but you should take a look.”
Initially, the password manager app claimed that notifications were triggered by potential credential stuffing attacks.
Likewise, LogMeIn, the company that owns LastPass, has also excluded any collection of credentials by malware, malicious browser extensions, or phishing campaigns.
Users suspect master password leaks in previous data breach
LastPass users confirmed that the alerts came from the company, ruling out phishing attempts.
Additionally, alerts are triggered when account owners use their master passwords to sign in from unknown devices or locations.
Some affected users reported that they did not reuse email addresses and passwords, while others has received attempts to notify login after changing their master passwords.
Likewise, some affected users who tried to delete their LastPass password manager account encountered the HTTP 500 error. declaring that “Something went wrong” after clicking the delete button.
Most of the reports were also from users with outdated LastPass accounts suggesting a previous violation.
Coincidentally, security researcher Bob Diachenko noted he found thousands of LastPass account credentials in the RedLine Stealer logs. However, Diachenko checked the login information for some affected users but could not find a match.
Although the password manager app does not store the user’s master password on its servers, it does store their saved passwords in an encrypted format.
LastPass password manager triggered unauthorized login alerts by mistake
LastPass reiterated that users’ master passwords were not viewed by an unauthorized third party after conducting additional investigations.
“It is important to note that we have no indication that the accounts were viewed successfully or that the LastPass service was otherwise compromised by an unauthorized party. “
LogMeIn Global PR Senior Director Nikolett Bacso-Albaum said. “We regularly monitor this type of activity and will continue to take measures designed to ensure that LastPass, its users and their data remains protected and secure.”
The company continued to investigate incidents out of caution and found that some security alerts sent to a “limited subset of LastPass users” were triggered in error.
LastPass also explained that the security alerts were triggered due to ongoing efforts to protect its users from attempts to stuff credentials by bad actors. LastPass also reiterated that it does not store or know users’ master passwords.
Past security issues in the password manager
While the fear of LastPass remains a mystery, the password management app is no stranger to security holes.
The password management app officially recognized a data breach in 2015. However, no account data was compromised during the incident, according to the company.
Sean Cassidy discovered a CSRF vulnerability in 2016 that attackers exploit in phishing attacks. Likewise, researchers at the University of California have documented another CSRF bug.
In 2016, Mathias Karlsson discovered a bug that allowed him to automatically fill in login information on a different domain.
And Tavis Ormandy of Google Project Zero discovered a message hijacking bug that was affecting Firefox users. Another browser vulnerability was discovered in 2017, and a fake app autofill bug in 2019.
Likewise, another browser extension vulnerability was discovered in 2019, while Mike Kuketz exposed the LastPass password manager in 2021 for tracking its users.