LastPass says no passwords compromised in latest security alert

LastPass says no passwords compromised in latest security alert


Do you use LastPass? It’s time to update your master password.

Sarah Tew / CNET

A security alert emerged Tuesday night for LastPass users when some reported receiving emails from LastPass alerting them that LastPass had blocked unauthorized attempts to access their accounts. As first reported by AppleInsider, some members of LastPass said they were notified of multiple login attempts, using correct master passwords in various places. LastPass confirmed that the email alerts were related to an attempted credential stuffing attack – where malicious actors attempt to log into multiple accounts with previously verified credentials – but said that no master password had been compromised.

In a statement, Dan DeMichele, vice president of product management at LastPass, said the email security alerts were sent to a limited subset of LastPass users and were likely triggered in error. DeMichele said LastPass has adjusted its security alert systems and the issue has been resolved.

“We have been working quickly to investigate this activity and at this time we have no indication that any LastPass accounts have been compromised by an unauthorized third party as a result of this credential stuffing, and we have no found no indication that users’ LastPass credentials were harvested by malware, malicious browser extensions, or phishing campaigns, ”DeMichele said.“ However, out of caution, we continued to investigate the purpose of determining the cause of the triggering of automated security alert emails from our systems. “

This isn’t the first time that LastPass – proprietary rather than open source – has faced a security scare or criticism over its privacy practices. Its most notable violation occurred in 2015 and is the only violation found on the official LastPass website. In the same year, however, Asana’s chief security officer Sean Cassidy discovered a phishing vulnerability created by a CSRF bug, and a research paper emerged detailing another CSRF bug and how the Safari bookmarklet option of LastPass was found to be vulnerable if users were tricked into clicking certain parts of an attacker’s site.

Read more: Bitwarden review: the best free password manager for 2021

In 2016, two vulnerabilities were discovered. One was discovered by a security researcher Mathias karlsson, the other by Google Project Zero’s Tavis Ormandy, the latter having prompted LastPass to urge users to update their browsers. In 2017, the password manager fixed another major security flaw in its browser extension – the Achilles heel of most password managers – which could have allowed hackers to manipulate a LastPass account. This foreshadowed research from the University of York in 2019, which found another vulnerability that would allow malicious copy apps to exploit LastPass’ autofill feature. Ormandy returned to the LastPass review later in 2019, discovering a third browser extension vulnerability – which LastPass again addressed – that would expose login information you entered on a previously visited site.

In February 2021, LastPass was once again in the hot seat of privacy for its use of web trackers.

Regarding Tuesday’s security alert, LastPass said it would monitor the service for any unusual or malicious activity and continue to take whatever steps are necessary to keep user data safe.

Unlike audits conducted by open-source competitors RememBear, NordPass, and Bitwarden, LastPass’s independent third-party audits are limited in their public availability. And while LogMeIn maintains a collection of audits for several of its properties, the company says its additional cloud security audit for LastPass is only available if you sign a nondisclosure agreement. Only simple organizational audits are traditionally publicly available, along with a list of companies that LastPass works with.

As a precautionary measure, LastPass users should regularly update their master password and enable multi-factor authentication on their accounts. If you’ve reused your LastPass Master Password to other password managers — such as Bitwarden or 1Password – we recommend that you also update these accounts. And remember: if you use a password manager, never reuse the master password for another site, service, or application.

Read more: LastPass Review: A Leading Password Manager with a Changing Value Proposition

How to update your LastPass master password

The easiest way to change your LastPass master password is to log into your vault through the LastPass main site. Due to the recent fear, you may be asked to confirm your identity the first time you attempt to log in. If so, you will likely need to confirm your login attempt via an email sent to the address associated with your LastPass account. So check your inbox for a LastPass email if you’re having trouble signing in.

Once logged into your vault, go to the top right corner of the page and, just to the right of your LastPass username, click on the little inverted triangle icon to expand your account menu. To select Account Settings.

A screen will appear. Its first tab is titled General. Under the Login Credentials heading, you’ll see a line called Master Password. Just to the right of these words, click on the button titled Change master password.

From there, you’ll be prompted to confirm your current master password, create your new master password, and write a hint to help you remember it in the future if needed.

To check if the email address associated with your LastPass account has been involved in recent violations, you can go to Have I Been Pwned and enter your email address in the search bar.

Read more: 4 steps to take to secure your Gmail account immediately

Leave a Comment

Your email address will not be published. Required fields are marked *