LastPass says master password leak warnings were sent in error
LastPass users around the world were thrown into a state of panic after the company issued email warning about unauthorized use of master passwords.
The password manager company advised users of suspicious login attempts using the master password associated with their account. This led to concerns that the company has been hacked or that passwords had been leaked, but LastPass says that the warnings were erroneous.
See also:
- Microsoft confirms color problem in Windows 11 -- but a fix is weeks away
- Intel releases performance-enhancing graphics driver update to fix Desktop Windows Manager problem in Windows 10 and Windows 11
- Microsoft has blocked all default browser workarounds in Windows 10 and Windows 11
Shortly after the warning emails were sent out, many users started to get in touch with LastPass to find out what was going on. The company started an investigation, and soon issued a statement saying:
LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It's important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.
This was not the end of the investigation, and after further digging the company's vice president of product management, Dan DeMichele, issued a further statement saying:
As previously stated, LastPass is aware of and has been investigating recent reports of users receiving e-mails alerting them to blocked login attempts.
We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user's LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns.
However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.
Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users' Master Password(s).
We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure.
It is not clear how many users received a warning email from LastPass, but what matters is that users' accounts remain safe.