LastPass is one of the password managers most used in the industry. In recent days, user groups have reported that their master passwords had been compromised (allegedly) after receiving email warnings that someone has tried to use them to log into their accounts from unknown locations.
The email notifications also mentioned that the login attempts had been blocked because they were made from unknown locations around the world. «Someone just used your master password to try to log into your account from a device or location that we did not recognize«, Warn the login alerts. «LastPass blocked this attempt, but you should take a closer look. Was it you?«
Reports of alleged compromised LastPass master passwords have continued to trickle down to social media and online platforms, leading to speculation that the company may have leaked them in some way. However, it was not likely as LastPass does not store master passwords on its servers and its management is done locally.
What is happening with LastPass?
A spokesperson for the manager has reported the situation: «We have investigated recent reports of blocked login attempts and determined that the activity is related to a fairly common bot-related activity, in which a malicious actor tries to access user accounts (in this case, LastPass) using email addresses. email and passwords obtained from third parties, for violations in other unaffiliated services«. From LastPass they ensure that they have no indication that the accounts have been accessed or that the general service has been compromised by an unauthorized party.
Everything indicates that the affected users may have been victims of a keylogger or other form of third party attack. Your information could also have been leaked in an unrelated attack where they are using the same email address and password.
However, some users say that the passwords used are unique to LastPass and have not been used elsewhere. Also, some who have tried to change their password have received the same alert again.
Until LastPass fully clarifies the situation, it is recommended to change the master password even if it has not been compromised and enable two-factor authentication to ensure that no external elements access the accounts. Another possibility is to use another type of manager, such as some of these free and open source alternatives.