One of the most popular password management and safe-keeping applications, LastPass, seems to be breached. Users are reporting some unusual activity about their master passwords. The master password is used to launch the app and reach all the passwords that the user saved.
Changing master password is no use
Users also reported that someone tried their master password to log in to LastPass. The user has changed his password for extra protection to see another attempt may occur a few hours later. This might indicate that the attackers can immediately get the up-to-date passwords from LastPass, rather than having a simple list of users and passwords.
Someone tried my @LastPass master password earlier yesterday and then someone just tried it again a few hours ago after I changed it. What the hell is going on?
— Valcrist (@Valcristerra) December 28, 2021
The LastPass users have been notified about the master password compromise via e-mail. LastPass does not allow to be logged in immediately on unusual devices and locations, even if the master password has been correctly used. The systems send an automated e-mail to the users to check the attempt. This extra layer of protection seems to be saved many users’ accounts to be compromised entirely.
LastPass stated that those might be just usual bot activity, or the users could be using a master pass same with another service that has been compromised, thus the password simply worked for LastPass too. The company has stated they have no evidence of a breach.
Meanwhile, some users say that their master passwords were unique and were not used in any other service. That simply denies the LassPass’ statement. In addition, the users who decided to leave LastPass behind and delete the account completely were faced with a “Something went wrong” error, being unable to delete.
Not sure about this – I've personally not had one of these login notifications but there's definitely a current issue that's stopping people from deleting their accounts. I just tried deleting my @LastPass account and got a 500 error accompanied by this very informative message. https://t.co/yiMT8xHUSR pic.twitter.com/Sk0wMEXyzL
— Gerard Krupa (@uxian) December 28, 2021
Currently, the source of the compromised master passwords remains unclear. It is strongly recommended to activate two-factor authentication to keep all the passwords in LastPass safe.