Recently Twitter exploded with reports from around the world of people who received a notification from LastPass regarding a string of suspicious login attempts. Most of them came from countries other than the ones the impacted users lived in.
Naturally this led to speculation that LastPass had been hacked and some portion of the passwords stored by their massive user base were stolen. This created something of a panic because LastPass and similar sites are considered one of the last safe refuges where passwords are concerned.
The company responded that there was no evidence that LastPass servers had been breached but questions persisted. If that was the case, then why did the company send out notifications to users regarding suspicious login attempts? The company’s investigation into the matter continued.
Recently LastPass issued another update which reads as follows:
“As previously stated, LastPass is aware of and has been investigating recent reports of users receiving e-mails alerting them to blocked login attempts.
We quickly worked to investigate this activity and at this time we have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of this credential stuffing, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions or phishing campaigns.
However out of an abundance of caution, we continued to investigate in an effort to determine what was causing the automated security alert e-mails to be triggered from our systems.
Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved.
These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to reiterate that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a users’ Master Password(s).
We will continue to regularly monitor for unusual or malicious activity and will, as necessary, continue to take steps designed to ensure that LastPass, its users and their data remain protected and secure.”
It seems that it was a false alarm. Even though it was a false alarm, if you are LastPass user you should enable two-factor authentication as soon as possible to minimize your risk.