LastPass Claims Your Passwords Are Safe Despite Those Security Warnings It Sent
LastPass is telling its users that there is no evidence to suggest their passwords have been compromised, after previously sending out emails to some users stating their master passwords have been compromised. So what exactly is going on? According to LastPass, the email warnings were "likely triggered in error."
"These alerts were triggered due to LastPass’s ongoing efforts to defend its customers from bad actors and credential stuffing attempts. It is also important to remember that LastPass’ zero-knowledge security model means that at no time does LastPass store, have knowledge of, or have access to a user’s Master Password(s)," Gabor Angyal, VP of Engineering at LastPass, stated in a blog post.
The issue came to attention when a LastPass user posted to Hacker News
that they received an email from LassPass stating it blocked a login attempt
from Brazil, and that whoever attempted the login was in possession of of their master password.
LastPass subsequently launched an investigation into multiple users receiving blocked access emails, which are typically sent to individuals who log in from different devices and locations. The company initially determined that the alerts were triggered by attempted "credential sniffing," whereby an unauthorized user attempts to gain access to an account using login credentials obtained from a third-party security breach.
"We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns," Angyal said.
Nevertheless, LastPass continued to investigate "out of an abundance of caution," and that's when it determined that some of the security alerts were mistakenly sent out. It has since adjusted its security alert system to be less trigger-happy.
If you use LastPass, you might want to consider changing your master password out of your own abundance of precaution and peace of mind, though as of this moment it doesn't sound like that's necessary. And as general guidance, avoid using your master password anywhere else. It's also a good idea to enable two-factor authentication wherever possible.