This is the kind of mistake that Lastpass would have done well. Several users indicated on Twitter have received alert emails from Lastpass informing them that their master password, the password used to unlock access to other passwords identified by the Lastpass manager, had been used by a third party to attempt to ” access their account on the cloud version of the service. Lastpass, a subsidiary of LogMeIn, offers a password manager which allows all user passwords to be stored in a secure space, which are protected by a “master” password known only to the user. . The message also stated that Lastpass had blocked access, as it did not recognize the IP address of the user trying to access their account.
The news is cause for concern: as a rule, the master password used to access Lastpass is a one-time password that is not used on other online services. This announcement therefore suggested that malicious actors had managed to retrieve a list of master passwords belonging to Lastpass users and were attempting to use them to access other passwords registered by users for the service.
Several users have publicly expressed concern about the situation on social media, prompting Lastpass to investigate and respond. And the press release published by Lastpass came to calm concerns: according to the company, no Lastpass account compromise has been identified by its teams. The company indicates that the alert emails received by users were sent following internal errors, and that the password manager teams have taken measures to prevent this type of error from recurring. .
Lastpass recalls in passing that its service does not store the users’ master password in any way, and that it is therefore not possible for a malicious actor who has managed to hack the service to recover all the user passwords. However, other alternatives are possible, such as malware installed on users’ devices that would be able to recover the password typed on the keyboard by the user who would like to access the password manager service. In this specific case, Lastpass says it has found no evidence of a campaign to harvest passwords from its users through malware.