Several users of the password manager
LastPass reported receiving an email warning them of attempts to log into their account using their master password.
LastPass ensures for its part that it has not been compromised and that the attacks detected are credential stuffing. The company also puts forward the possibility that the sending of some of these alerts was due to an error.
Attempts to log in using the users’ real master passwords
Several users have taken to Twitter, Reddit or even Hacker News in recent hours to report that they received an email from LastPass telling them that a connection attempt had been made on their account. ” Someone just used your master password to try to sign in to your account from a device or location that we didn’t recognize. LastPass blocked the attempt, but you should take a closer look. Was it you? Can we read, implying that the true master passwords of the users were used in these connection attempts.
By comparing the emails received, several of them realized that the IP addresses given in the email were similar and appeared to be from Brazil, while others reported connection attempts from other countries. The majority of these users affirm that their master password, which they use to connect to the password manager, was unique to the platform and was not stored in any other place, quickly raising fears of a security breach within by LastPass.
Other user reports indicate that after changing their master password, they continued to receive emails warning them of a connection attempt, as if their new password had been immediately compromised.
LastPass tries to reassure its users
Despite user claims, LastPass was quick to release to deny that the service had been compromised. Instead, the manager indicated that the activity was carried out by bots, which engaged in attacks such as credential stuffing.
the credential stuffing, or login jam, is a type of attack in which login attempts are made automatically using email address / password pairs from lists retrieved from previous attacks.
Attackers try to use credentials obtained during a breach in one service to connect to another service, betting that users have reused their credentials in several places. A little later, the company continued about the credential stuffing, while indicating that some of the security alerts were probably due to an error, since corrected.
Bob Diachenko, a security researcher, for his part indicated that the email addresses and passwords of users who received security alerts were not present in the logs of the Redline Stealer malware, which were recently made public and which contain thousands of LastPass ID pairs, he says.
LastPass is reassuring and ensures that it has no proof that user accounts have been compromised as a result of these possible attacks. If the doubt therefore still persists on the reasons for these sending of security alerts, whether they are due to credential stuffing or a simple mistake, LastPass users are still advised to take the usual precautions while awaiting further information: change their master password and enable multi-factor authentication.
Compatible with Windows and MacOS but also with many browsers, LastPass is a very easy-to-use password manager. Its free version allows you to save your passwords, but also your sensitive information.
Read more
Sources: BleepingComputer
, Twitter
7