LastPass may be one of the best-known password managers out there, and while many have turned their back on it following what was effectively the shutdown of its free tier in 2021, it’s still a popular choice. Now, a few reports have popped up with people saying that there were login attempts using their correct master passwords. While that’s bad enough for those affected, LastPass says that there is no indication that their servers were hacked, instead pointing to "third-party breaches related to other unaffiliated services." It looks like a coordinated attack can also be ruled out, with LastPass saying that a few of its recent login warnings were sent out in error.

AppleInsider first spotted the reports in the Hacker News forum, where multiple users write that LastPass informed them about blocked login attempts originating from other parts of the world, mostly Brazil. According to the emails these people have received, LastPass tells them that the correct master passwords were used, but that the attempts were still blocked due to the unusual geographic location.

We reached out to LastPass owner LogMeIn with these reports, and the company states,

LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.

That said, there still appears to be a coordinated attempt to log into LastPass accounts. AppleInsider writes that more and more reports are popping up, and even though LastPass hasn't been hacked, there appears to be a larger effort to breach individual LastPass accounts.

Digging deeper into the Hacker News thread, it appears that most of the affected users haven’t actively used LastPass for a longer period of time, and they also haven’t changed their passwords in a while.

A few Hacker News forum members have a few speculative causes in mind. A comment linked to an older Hacker News post detailing a LastPass autofill exploit from 2015, suggesting that's where the master passwords could have come from. Others suspected that the users in question were phished in an elaborate scheme. When researching the IP addresses that attempted to log into the LastPass accounts in question, you’ll wind up on a phishing site that pretends you won some tech product, only to later ask you to input sensitive data.

There was also speculation that the passwords could have emerged due to LastPass’ old, discontinued forum that supposedly required users to log in with their LastPass master password. Thanks to exploits like heartbleed in 2014, it may have been possible to extract passwords here whenever users logged in. However, LastPass says there is no indication that the passwords were uncovered through any of these means.

Given that LastPass hasn’t noticed any suspicious activity on its servers, it’s unlikely that someone actually managed to hack the password manager itself. LastPass and its competitors don’t store master passwords and follow zero-knowledge principles, so it's unlikely, if not impossible, to recover master passwords right from the source.

However, it's odd that many affected LastPass users are adamant that they've never re-used their LastPass passwords for other services, and some have even been hit by blocked login attempts with the right password shortly after changing their credentials. It sure looks like there must be some connection between these users, with some malware or keylogging software stealing their master passwords as they're typed. Bleeping Computer reports that the company only fixed a security vulnerability in its Chrome extension in 2019, so an attack vector once existed. It's possible that another problem in some LastPass software or some third-party extension or app has cropped up again in the meantime.

Although LastPass says it hasn’t been hacked, it’s possible that your years-old master password has been leaked via other means, as stated by the company itself. Given that LastPass users are experiencing this influx of login attempts right now, you should change your master password — use a different computer than usually do just to be sure. While you’re at it, it also makes sense to activate two-factor authentication for your password manager, which will give you an additional layer of security. If you’re not using LastPass any longer, consider deleting your account to prevent anyone from accessing passwords potentially still saved to it.

Thanks: Anthony