Despite some users receiving security alerts, LastPass denied that user passwords have been compromised. Here’s what to know…
Near the end of December 2021, concerns were raised that password manager company LastPass had suffered a security breach that compromised users’ master passwords.
This was a result of LastPass users reporting that they had received alerts of logins attempts to their accounts. However, LastPass has since issued an update explaining the incident and saying that no passwords were compromised.
Here’s what to know about the incident…
False Alarm at LastPass Regarding Breach
Following reports that there may have been a breach, LastPass was quick to invalidate the claims.
Concerns about a breach were raised after a number of users said that they had received emails saying that there were unauthorized login attempts using their LastPass master passwords.
In a statement issued to AppleInsider, the company said:
It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party.
If there had been a breach or leak that gave hackers access to LastPass users’ master passwords, the effects would’ve been catastrophic.
Unless the user has two-factor authentication (2FA) implemented, the attacker would have had access to all of their login credentials.
Why Did LastPass Users Receive Alerts?
LastPass has attributed the increase in attempted login attempts to “common bot activity”. All the bots would need is an email address before they start trying out random passwords.
It’s also worth noting that only a small portion of LastPass users suffered from this. That’s because the bots most likely got the email addresses from previous leaks and breaches from third-party websites and services.
However, while it’s a likely scenario, that’s not what happened with all users.
Vice President of Product Management at LastPass Dan DeMichele revealed that some of those alerts were triggered in error and not through an actual attempt to access the users’ accounts.
DeMichele told The Verge:
Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems, and this issue has since been resolved.
Protecting Your LastPass Account
While LastPass is known for taking user security very seriously, it’s important to keep your guard up. If your email has been compromised before, consider changing it.
Also, regularly change your LastPass account master password and make use of the offered 2FA feature to double lock your account.
The password manager was acquired by LogMeIn in 2015, but things are about to change. So what might this mean for users’ privacy?
About The Author