One of the users who received an email alert from LastPass stated that it warned them of an unauthorized login attempt using their account’s master password.
LastPass password manager users were shocked when they received alerts about their accounts getting compromised during a hack attack. The company released a statement on December 28th stating that credential stuffing attacks could impact some users. However, later, it clarified that this was a false alert.
AppleInsider first identified the reports of LastPass account compromise. The alerts informed users that some unauthorized parties tried to access their accounts from different parts of the world, including Brazil, and that LastPass thwarted these attempts.
It must be noted that most of the accounts that received the alert were outdated, and login attempts were linked to credential stuffing in which threat actors tried to access user accounts using details obtained from different services involved in an earlier third-party breach.
In a blog post, Gabor Angyal, Vice President Of Engineering at LastPass stated there was no indication that any of its accounts were compromised.
“There is no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.”
“Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved,” the blog post read.
LastPass further revealed that it has minimized the risk of leaking users’ master passwords by implementing a “zero-knowledge security model.” It means the company cannot store, gain information, or access any user’s master password. Since it won’t store it, there’s no risk of password exposure.