LastPass is one of the most widely used password managers in the industry. In recent days, user groups have reported that their master passwords had been compromised (allegedly) after receiving email warnings that someone has tried to use them to log into their accounts from unknown locations.
The email notifications also mentioned that login attempts were blocked because they were made from unknown locations around the world. « Someone just used your master password to try to log into your account from a device or location that we did not recognize «, warn the login alerts . « LastPass blocked this attempt, but you should take a closer look. Was it you? «
Reports of alleged compromised LastPass master passwords have continued to trickle down to social media and online platforms, leading to speculation that the company may have leaked them in some way. However, it was not likely since LastPass does not store master passwords on its servers and they are managed locally.
What is happening with LastPass?
A spokesperson for the manager has reported the situation : “ We have investigated recent reports of blocked login attempts and determined that the activity is related to a fairly common bot-related activity, in which a malicious actor tries to access user accounts (in this case, LastPass) using e-mail addresses and passwords obtained from third parties, for breaches in other unaffiliated services «. From LastPass they ensure that they have no indication that the accounts have been accessed or that the general service has been compromised by an unauthorized party.
Everything indicates that the affected users may have been victims of a keylogger or another form of third-party attack . Your information could also have been leaked in an unrelated attack where they are using the same email address and password.
However, some users say that the passwords used are unique to LastPass and have not been used elsewhere. Also, some who have tried to change their password have received the same alert again.
Until LastPass fully clarifies the situation , it is recommended to change the master password even though it has not been compromised and enable two-factor authentication to ensure that no external elements access the bills. Another possibility is to use another type of manager, such as some of these free and open source alternatives.