LastPass may be one of the best-known password managers out there, and while many have turned their back on it following what was effectively the shutdown of its free tier in 2021, it’s still a popular choice. Now, a few reports have popped up with people saying that there were login attempts using their correct master passwords. While that’s bad enough for those affected, LastPass says that there is no indication that their servers were hacked, instead pointing to "third-party breaches related to other unaffiliated services."

AppleInsider first spotted the reports in the Hacker News forum, where multiple users write that LastPass informed them about blocked login attempts originating from other parts of the world, mostly Brazil. According to the emails these people have received, LastPass tells them that the correct master passwords were used, but that the attempts were still blocked due to the unusual geographic location.

We reached out to LastPass owner LogMeIn with these reports, and the company states,

LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.

That said, there still appears to be a coordinated attempt to log into LastPass accounts. AppleInsider writes that more and more reports are popping up, and even though LastPass hasn't been hacked, there appears to be a larger effort to breach individual LastPass accounts.

Digging deeper into the Hacker News thread, it appears that most of the affected users haven’t actively used LastPass for a longer period of time, and they also haven’t changed their passwords in a while. A comment links to an older Hacker News post detailing a LastPass autofill exploit from 2015, which could give us a hint as to where the master passwords could have come from. Others suspect that the users in question were phished in an elaborate scheme. When researching the IP addresses that attempted to log into the LastPass accounts in question, you’ll wind up on a phishing site that pretends you won some tech product, only to later ask you to input sensitive data.

There is also speculation that the passwords could have emerged due to LastPass’ old, discontinued forum that supposedly required users to log in with their LastPass master password. Thanks to exploits like heartbleed in 2014, it may have been possible to extract passwords here whenever users logged in.

Given that LastPass hasn’t noticed any suspicious activity on its servers, it’s very unlikely that someone has actually managed to hack the password manager itself. LastPass and its competitors don’t store passwords, let alone master passwords, in plain text, so an attacker would need to do a sheer infinite number of calculations to decipher whatever data is saved to LastPass’ servers, even if it came to a breach.

Although LastPass hasn’t been hacked, it’s possible that your years-old master password has been leaked via other means, as stated by the company itself. Given that LastPass users are experiencing this influx of login attempts right now, you should change your master password just in case. While you’re at it, it also makes sense to activate two-factor authentication for your password manager, which will give you an additional layer of security. If you’re not using LastPass any longer, consider deleting your account to prevent anyone from accessing passwords potentially still saved to it.

