Late Tuesday, LastPass customers had a security fright when they received emails from the company informing them that unauthorised attempts to access their accounts had been thwarted. Some LastPass subscribers indicated they were warned of repeated attempted logins using accurate master passwords from various places, as first reported by AppleInsider. LastPass acknowledged that the email warnings were connected to a credential stuffing effort, in which hostile actors attempt to log in to many accounts using previously validated credentials, but that no master passwords were stolen.
LastPass vice president of product management Dan DeMichele said in a statement that the email security warnings were sent to a small number of LastPass customers and were most likely triggered by mistake. LastPass’ security alert mechanisms have been updated, according to DeMichele, and the problem has been rectified.
With the latest tech news, gadgets, and reviews, you can spice up your small chat. On weekdays, deliveries are made.
“We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that users’ LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns,” DeMichele said. “However, out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.”
It’s not the first time LastPass has faced a security concern or been chastised for its privacy policies, despite the fact that its source code is proprietary rather than open-source. LastPass’ most famous breach occurred in 2015, and it is the only breach mentioned on the company’s official website. However, in the same year, Asana Security Head Sean Cassidy discovered a phishing vulnerability caused by a CSRF bug, and a research paper detailing another CSRF bug and how LastPass’ Safari bookmarklet option was found vulnerable if users were tricked into clicking certain parts of an attacker’s site was published.
Two vulnerabilities were discovered in 2016. The first was identified by security researcher Mathias Karlsson, while the second was discovered by Google Project Zero’s Tavis Ormandy, prompting LastPass to advise users to upgrade their browsers. In 2017, LastPass fixed another serious security hole in its browser extension, which is the Achilles’ heel of most password managers and could have allowed hackers to access a user’s account. This predicted research published in 2019 by the University of York, which discovered another vulnerability that would allow malicious copycat apps to take use of LastPass’ autofill capability. Ormandy returned to LastPass examination later in 2019, uncovering a third browser extension flaw that exposed login credentials submitted on a previously visited site, which LastPass once again fixed.
LastPass was in the news again in February 2021, this time for its usage of web trackers.
LastPass said it will continue to monitor the service for unusual or malicious behaviour and take any required actions to maintain user data protection in the wake of Tuesday’s security concern.
LastPass’ impartial, third-party audits are limited in their public availability, unlike those undertaken by competitors RememBear, NordPass, and open-source Bitwarden. While LogMeIn maintains a library of audits for a number of its properties, the business claims that their extra cloud security audit for LastPass is only available if you agree to a nondisclosure agreement. Organizational audits, as well as a list of organisations that LastPass works with, have generally been made public.
LastPass users should update their master password and enable multifactor authentication on their accounts on a regular basis as a preventive security precaution. If you’ve used your LastPass master password for other password managers, such as Bitwarden or 1Password, we recommend that you update them as well. Also, if you use a password manager, make sure you don’t reuse the master password for any other site, service, or app.
How to Change the Master Password in LastPass
Logging into your vault using LastPass’ main site is the simplest way to update your master password. Due to the recent scare, you may be prompted to validate your identity when attempting to log in for the first time. If that’s the case, you’ll almost certainly need to confirm your login attempt via an email sent to the address linked with your LastPass account. If you have trouble logging in, check your mailbox for a LastPass email.
Once you’ve signed into your vault, go to the top-right corner of the screen and select the little inverted triangle symbol just to the right of your LastPass user name to expand your account menu. Account Settings should be selected.
A window will appear. The General tab is the first one you’ll come across. A row labelled Master Password appears under the Login Credentials heading. Click the Change Master Password button just to the right of those text.
You’ll be asked to confirm your existing master password, create a new master password, and add a hint to assist you remember it if you forget it.
You may go to Have I Been Pwned and put your email address in the search field to see if the email address linked with your LastPass account has been implicated in any recent breaches.