Has LastPass Been Pwned? [UPDATED x2]

That’s the question that a lot of LastPass users have been asking as LastPass members have reported multiple attempted logins using correct master passwords from various locations. This comes via multiple users in a Hacker News forum who have shared that their master passwords for LastPass appear to be compromised. There is a patten that seems to be emerging though. The majority of reports appear to come from users with outdated LastPass accounts. This indicates the master password list being used may have come from an earlier hack. Which also means that threat actors were possibly inside LastPass for a while. And changing the master password doesn’t help. Which spells big trouble for anyone who use this service.

The only conclusion that I can come to is that there must have been a data breach at LastPass which if true is catastrophic for LastPass and their users.

Now to protect yourself, I’ll give you two options. Here’s the first if you want to stick with LastPass:

  • Users should change their passwords AND enable two-factor authentication
  • Then users should keep an eye out for suspicious login attempts.

I won’t go as far as to guarantee that this will fully secure your passwords, but it’s better than nothing. I think the real solution is to migrate away from LastPass to keep yourself secure. I personally use eWallet as that isn’t reliant on a third party and is totally in my control. But importing your LastPass data into another password manager is another option. A search with the search engine of your choosing will help you find directions for that.

Now I have been scanning Twitter and the LastPass website and I have seen no comment from the company on this. But I have to assume that they will have to make some sort of comment on this as the longer they stay silent, and the more people report issues, the worse this gets for LastPass.

UPDATE: BleepingComputer is reporting the following:

LogMeIn Global PR/AR Senior Director Nikolett Bacso-Albaum told BleepingComputer that “LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.”

“It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure,” Bacso-Albaum added.

However, users receiving these warnings have stated that their passwords are unique to LastPass and not used elsewhere. BleepingComputer has asked LastPass about these concerns but has not received a reply as of yet.

To me this sounds like more than credential stuffing. But there’s more. I got this tip from a reader:

BleepingComputer has noted the same thing:

To make things even worse, customers who tried disabling and deleting their LastPass accounts after receiving these warnings also report [12] receiving “Something went wrong: A” errors after clicking the “Delete” button.

So what’s clear to me is something is really up with LastPass in a bad way. And whatever it is, it isn’t trivial. That’s not good for LastPass users. At this point, the company really needs to explain what is going on.

UPDATE #2: I just got this Tweet in terms of being able to delete your LastPass account:

One Response to “Has LastPass Been Pwned? [UPDATED x2]”

  1. […] I posted a story where I ask if password manager LastPass had been pwned. This was based on reports of multiple attempted logins using correct master passwords from various […]

Leave a Reply

%d bloggers like this: