LastPass is a popular cloud-based password manager that allows users to quickly generate complex passwords for sites and manage them with a single, master password.
Alarmingly, a growing number of users on the Hacker News forum are claiming that their master passwords for LastPass have been compromised. Many are receiving emails from the company about unauthorized login attempts, even by those who have kept their master passwords secure via alternative solutions such as KeePass.
“LastPass blocked a login attempt from Brazil (it wasn’t me),” reads a thread created by gregsadetsky that has garnered over 400 comments thus far. “According to an email I received from LastPass, this login was using the LastPass account’s master password. The email doesn’t look like it’s a phishing attempt.”
“What troubles me is that the master password was stored in a local encrypted KeePassX file,” he added.
The thread has prompted LastPass to send out a statement regarding the allegations. According to the company, none of its accounts were accessed or compromised.
LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.
LastPass is available in a variety of plans, including a free option that allows users to manage an unlimited amount of passwords. Premium ($3) and Families ($4) plans are also available for home users with additional features, such as encrypted file storage and dark web monitoring.
Source: Hacker News (via How-To Geek)