The popular password manager LastPass has left users baffled after their master passwords were seemingly breached. However, the vendors have denied any direct hacking attempts, deeming the matter as a credential stuffing attack.
LastPass Master Passwords
Recently, users have shared multiple complaints of failed attempts when signing in to their LastPass accounts. Such reports make users suspect a potential breach of LastPass master passwords.
It remained unclear for a while whether there has been a cyber attack on LastPass or not. However, later, the vendors have denied such possibilities via a blog post.
As explained, the hackers might have gained access to users’ master passwords via credential stuffing. LastPass assured that the platform remained safe from any potential cyber attack.
Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity… We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.
Still, it remains unclear if that’s precisely what happened since some users even complained of receiving similar alerts even after resetting the master password.
Then, investigating things further made LastPass deduce that the additional alerts users had received were likely erroneous. Consequently, LastPass “adjusted” the security alert system to resolve the issue.
Furthermore, the service assured to have stored no master passwords.
LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a user’s Master Password(s).
For now, it seems the issue has been resolved. Nonetheless, LastPass users should still ensure to change their master passwords as a precaution to keep their passwords safe.