According to The Verge, popular password manager LastPass has denied the possibility of a data breach after several users reported being notified of unauthorized attempts to log in to their LastPass accounts, which for most users contain sensitive login credentials for everything from social media platforms to their bank accounts.
When one LastPass user posted on the Hacker News forum after the password manager supposedly warned him of an unusual login attempt from Brazil using his master password, similar reports from other users started flooding in. This, understandably, raised concerns that LastPass was (or was in the process of being) compromised.
Something very strange and bad is happening to a lot of people's @LastPass accounts. I posted this to Hacker News and it gathered 192 comments, including 7 separate reports of master password breaches & login attempts from the same Brazil IP range. Uhh. https://t.co/tcM0aFdavv`
— Greg Technology (@technology_greg) December 27, 2021
LastPass parent company LogMeIn maintains that the service’s defences were never breached and that no user accounts or sensitive user information have been accessed by a third party.
Nikolett Bacso-Albaum, Senior Director of Global PR at LogMeIn, told The Verge that the alerts users received were related “to fairly common bot-related activity,” whereby bad actors attempt to log in to LastPass users’ accounts using email addresses and passwords obtained from past breaches of other services (i.e. not LastPass), a frequent practice in black-hat hacking.
“It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party,” said Basco-Albaum.
“We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.”
When LastPass does determine that a hack has taken place, it is pretty good about promptly informing users and requiring that they reset their master password.
Of course, LastPass isn’t invulnerable, and neither are other password managers. Using at least two-factor authentication on any account you don’t want anyone else getting access to really should be commonplace in this day and age.