Near the end of December 2021, multiple users of password manager firm LastPass reported that their master passwords were compromised after they received alerts via email that someone from an unknown location attempted to log in to their accounts.
The email notifications also mention that the account access was blocked due to the unknown location where the attempt was made.
"Someone just used your master password to try to log in to your account from a device or location we didn't recognize," the login alert says. “LastPass blocked this attempt, but you should take a closer look. Was this you?"
Reports of compromised LastPass master passwords have been circling in social media sites such as Twitter, Reddit, and Hacker News after a LastPass user created a post to highlight the issue. He claims that LastPass warned him of a login attempt from Brazil using his master password.
This led to speculation that vulnerability in LastPass sever allowed attackers to steal leaked master passwords, as these emails only arrive if the unauthorized person logs in with the correct password. However, this seemed unlikely, as LastPass clarified that it doesn’t store master passwords on its servers.
"LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services,” LogMeIn Global PR/AR Senior Director Nikolett Bacso-Albaum told BleepingComputer.
"It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure," Nikolett added.
However, users of LastPass who received these warnings have said that their passwords were only used to log in to LastPass and not used elsewhere. To mitigate further threats, security researchers have recommended LastPass users enable multifactor authentication to guard their accounts even if their master password was not compromised.
