Some users of the password management app, LastPass, have received very alarming email warnings indicating as someone tried to log into their account from unknown locations. Their master password keeps all other passwords, payment cards, and other sensitive data stored in LastPass safe was compromised. LastPass detected suspicious login attempts immediately and has sent email notifications mentioning those login attempts were blocked as they were made from unfamiliar locations worldwide.
LogMeIn Global PR/AR Senior Director Nikolett Bacso-Albaum mentioned that it is important to note that they do not have any indication that their account was successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. LastPass has investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. They regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.
However, users receiving these warnings have stated that their passwords are unique to LastPass and are not used elsewhere. So, if these passwords were unique, the question arises where did the attacker find them? It is not possible that they were stolen from LastPass somehow, as LastPass does not store or have access to the master passwords of the user.
However, there are a few options. One is that even if a master password is unique, it does not necessarily mean that it is strong. Another way is that malware is involved. Numerous malware strains monitor clipboard activity on infected computers. They watch the copy and paste operations of the users because that’s the most common way to enter long, complex passwords, crypto wallet addresses, or public and private keys.
This means that, at least in some of these reports, the threat actors behind the takeover attempts used some other means to steal their targets’ master passwords.
Few customers have also reported changing their master passwords since they received the login warning, only to receive another alert after the password was changed.
To make things even worse, customers who tried disabling and deleting their LastPass accounts after receiving these warnings also report receiving, “Something went wrong: A” errors after clicking the Delete button.
LastPass has recommended its users to enable multifactor authentication to protect their accounts even if their master password has been compromised.