LastPass users notified after suspicious login attempts from strange locations
Some users of the LastPass password manager have received some very alarming news. Their master password – which keeps all other passwords, payment cards, and other sensitive data stores in LastPass safe – had been compromised.
First of all, the good news. As a good password manager application should, LastPass immediately detected suspicious login attempts. They were fairly easy to spot, as the attacker was trying to connect from an unrecognized location.
LastPass blocked the attacker and advised affected users to immediately review their login history. “It is important to note that we have no indication that the accounts were accessed successfully or that the LastPass service was compromised by an unauthorized party,” said Nikolett Bacso-Albaum, Senior Director of LogMeIn Global PR / AR.
LogMeIn has investigated the incident and believes it “relates to fairly common bot activity.” Basco-Albaum appears to refer to credential stuffing attacks, in which a malicious actor uses a cache of credentials collected from other breaches to attempt to log into website accounts or application.
Alarmingly, however, Bleeping Computer has received reports of some of the affected LastPass users that they were using a unique password for their master.
So if these passwords were indeed unique, where did the attacker find them? It is not possible that they were stolen from LastPass in some way, as LastPass does not store or have access to users’ master passwords.
There are a few options. The first is that even though a master password is unique, it does not necessarily mean that it is particularly strong. Another is that malware is involved.
Many strains of malware monitor clipboard activity on infected computers. They monitor copy and paste operations, as it is a common way for users to enter long and complex passwords, crypto wallet addresses, or public and private keys.
One of the suspects was the Redline Stealer malware. Redline targets username and password data stored in several popular web browsers, including Chrome, Edge, and Opera.
Security researcher Bob Diachenko got extended log files linked to Redline Stealer and was able to confirm that the files contained many LastPass Master Passwords. Several users who received warnings from LastPass asked it to verify their email addresses, but it couldn’t find them.
Diachenko believes this could mean Redline Stealer was not the source of the LastPass attacks. This is unfortunate, because the true source would remain unknown.
If you are using LastPass to manage your passwords, you do not need to close your account due to these attacks. However, you might want to make sure your account is locked.
You should protect your account with two-factor authentication if you haven’t already. LastPass has a helpful guide who will guide you through the process.
You can also change your master password – and don’t forget do not save it in your browser’s password manager once the change is made.
LastPass and the security community continue to investigate and this message will be updated when new information is reported.