LastPass: some users report compromised accounts

Some LastPass password manager users revealed this week that they had received emails from LastPass stating that logins to their accounts with the account’s master password were blocked. The first of these reports was published in Hacker News.

Emails sent by LastPass indicate that LastPass blocked a login attempt. In the case of the thread starter, the login attempt came from Brazil.

Login attempt blocked

Hello,

Someone just used your master password to try to log into your account from a device or location that we did not recognize. LastPass blocked this attempt, but you should take a closer look.

The emails are legitimate LastPass emails, not phishing emails. The attackers managed to access the client’s master password. It’s unclear how the attackers managed to get the data, possibilities include malware running on users’ systems, old data from past breaches, data that was used in other online accounts that was compromised, or a new security issue. .

Ringing computer posted a comment from LogMeIn’s senior director of public relations / AR, Nikolett Bacso-Albaum, suggesting that the data is coming from third-party breaches and that the attacks are coming from bots.

LastPass investigated recent reports of blocked login attempts and determined that the activity is related to a fairly common bot-related activity, in which a malicious or malicious actor tries to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third parties. infringements of the parties related to other unaffiliated services.

LastPass has no indication that the accounts were successfully accessed or that their service was compromised, according to the response.

Some of the users who reported the problem online stated that their master passwords are unique and not used anywhere else, which, if true, eliminates the third-party breach scenario.

LastPass is an online password management service; customers can log in online to access their account using a master password. Options are also available to protect accounts with two-factor authentication.

LastPass customers may want to add two-factor authentication to their accounts to better protect them against unauthorized login attempts. Changing the master password can also be an option, but only if the leak is coming from a third-party source and not from LastPass directly.

Online password managers offer convenient options to sync passwords across devices, but add another attack vector compared to local password manager solutions like KeePass.

Now you– Are you using an online password manager or a local one? (via Born)

advertising