Yesterday, I posted a story where I asked if password manager LastPass had been pwned. This was based on reports of multiple attempted logins using correct master passwords from various locations. This came via multiple users in a Hacker News forum who have shared that their master passwords for LastPass appear to be compromised.
When LastPass initially commented on this to BleepingComputer, they had this to say:
LogMeIn Global PR/AR Senior Director Nikolett Bacso-Albaum told BleepingComputer that “LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.”
“It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure,” Bacso-Albaum added.
However, users receiving these warnings have stated that their passwords are unique to LastPass and not used elsewhere. BleepingComputer has asked LastPass about these concerns but has not received a reply as of yet.
I was suspicious of that statement, and now that LastPass has released a new statement to The Verge, it really makes me wonder what the truth actually is:
As previously stated, LastPass is aware of and has been investigating recent reports of users receiving e-mails alerting them to blocked login attempts.
We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns.
However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.
Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users’ Master Password(s).
We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure.
I have to say that I am not buying this. Was it an attack as per the earlier statement? Or was it a screw up that caused this as per their later statement? And this does not explain why reports of multiple attempted logins using correct master passwords from various locations started to pop up. This whole situation is a bit of a mess and some clarity is needed here.
My advice goes something like this: In the absence of hard facts, assume your LastPass account has been pwned. If you stick with LastPass, you need to do the following:
- Users should change their passwords AND enable two-factor authentication
- Then users should keep an eye out for suspicious login attempts.
But if you’re really uneasy about staying with LastPass, you should migrate to another password manager ASAP and delete your LastPass account. Hopefully LastPass comes out with a statement and facts to back it up which bring clarity to this situation and peace of mind to LastPass users.