![]() Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems. We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns. Here's the verbatim statement we received:Īs previously stated, LastPass is aware of and has been investigating recent reports of users receiving e-mails alerting them to blocked login attempts. A small number of the warnings sent out by LastPass via email appear to have been triggered as an error, too. If you’re not using LastPass any longer, consider deleting your account to prevent anyone from accessing passwords potentially still saved to it.įollowing further investigation, LastPass' Vice President of Product Management Dan DeMichele has shared that there is no indication that rogue browser extensions, malware, or successful phishing attacks on LastPass subscribers are the cause for the influx of login attempts. ![]() ![]() While you’re at it, it also makes sense to activate two-factor authentication for your password manager, which will give you an additional layer of security. Given that LastPass users are experiencing this influx of login attempts right now, you should change your master password - use a different computer than usually do just to be sure. It's possible that another problem in some LastPass software or some third-party extension or app has cropped up again in the meantime.Īlthough LastPass says it hasn’t been hacked, it’s possible that your years-old master password has been leaked via other means, as stated by the company itself. Bleeping Computer reports that the company only fixed a security vulnerability in its Chrome extension in 2019, so an attack vector once existed. It sure looks like there must be some connection between these users, with some malware or keylogging software stealing their master passwords as they're typed. However, it's odd that many affected LastPass users are adamant that they've never re-used their LastPass passwords for other services, and some have even been hit by blocked login attempts with the right password shortly after changing their credentials. AppleInsider writes that more and more reports are popping up, and even though LastPass hasn't been hacked, there appears to be a larger effort to breach individual LastPass accounts.ĭigging deeper into the Hacker News thread, it appears that most of the affected users haven’t actively used LastPass for a longer period of time, and they also haven’t changed their passwords in a while. That said, there still appears to be a coordinated attempt to log into LastPass accounts. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure. ![]() It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |