LastPass is a password manager app, the kind of security application we always advise people to use to increase the safety of their passwords. These services can store all your passwords and help you choose unique passwords for each online account. All you need to remember is one strong password. This lets you quickly sign in to any online account whose credentials you’ve saved in your account. But if a password manager were to suffer a data breach, then an attacker could get access to all the other passwords. That’s the kind of scenario LastPass users have been afraid of since Tuesday afternoon when reports emerged indicating a potential data breach. However, LastPass says it did not suffer a hack, and attackers do not have access to your Master Password or the passwords in your account.
The LastPass data breach scare
It all started with a post on HackerNews. A user said that LastPass blocked a login attempt from Brazil. According to a LastPass email, the hackers used the LastPass account’s Master Password.
“What troubles me is that the master password was stored in a local encrypted KeePassX file,” the person wrote. “I can imagine that someone has my KeePassX file and the (completely different) password to this file. If that’s the case, I’m in a world of hurt.”
LastPass later confirmed the attempted account breach, so the email the victim received was not a phishing attack. Moreover, other forum users experienced the same type of attack.
This prompted worries that LastPass suffered a hack that might have exposed user accounts. Such a data breach would indeed be a nightmare scenario for anyone using password manages to secure their online accounts.
LastPass did not suffer a massive password hack
However, that’s not what happened, according to the company. In comments to Gizmodo and Apple Insider, LastPass denies a hack. Instead, the company says the attackers attempting to breach accounts are using username and password combinations from other data breaches. Here’s LastPass’s statement:
LastPass investigated recent reports of blocked login attempts and we believe the activity is related to attempted ‘credential stuffing’ activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.
Furthermore, LastPass said that it hasn’t seen any evidence of actual hacking. Attackers did not hack LastPass user accounts, the company explained:
It’s important to note that, at this time, we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.
More good news about Master Password security
In comments to The Verge, LastPass explained that some of the alerts were errors due to an issue that it has resolved:
Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts.
Furthermore, LastPass also says that the app doesn’t store the user’s Master Password. As a result, a LastPass hack would not lead to attackers gaining access to Master Passwords:
It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users’ Master Password(s).
That’s all good news. But LastPass users who might have received warnings about potential third-party account access attempts might still be worried. If you received one of these LastPass emails, you should consider changing your Master Password. You’ll also want to check your sensitive accounts that you store in LastPass for unauthorized activity. It’s also a good idea to change passwords for those services from time to time.
Also, you should consider adding two-factor authentication to LastPass and other sensitive accounts.
If nothing can put your mind at ease, you can consider migrating your passwords to competing services. 1Password is one such alternative, but there are other password managers to choose from.