LastPass investigated recent reports of blocked login attempts

Password manager app LastPass confirmed that threat actors have launched a credential stuffing attack against its users.

While LastPass says that it is not aware that some of its accounts were compromised in the recent credential stuffing attacks that started on Monday, numerous LastPass users claim that their master passwords have been compromised after receiving emails warning them that someone tried to use them to access their accounts.

“Someone just used your master password to try to log in to your account from a device or location we didn’t recognize,” reads the warnings. “LastPass blocked this attempt, but you should take a closer look. Was this you?”

The email warning sent by the company informs the users that the login attempts have been blocked due to the unusual origin locations.

“LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.” Nikolett Bacso-Albaum Senior Director, Global PR/AR told BleepingComputer. “It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.”

Many users that that received the email warnings stated that their master passwords was only used to access the LastPass service and were not shared with other web services. This circumstance, if confirmed, suggests that the Password manager service was compromised, but at this time there is no evidence of compromise.

The situation could be worse if we consider that some customers after having reported having changed their master passwords state that they received another login warning.

Some users also reported that they were not able to delete and disable their accounts.

LastPass users are recommended to enable multifactor authentication to protect their accounts.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, password)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.